On 16/12/12 01:01 AM, James A. Donald wrote:
On 2012-12-16 6:23 AM, Andy Steingruebl wrote:
given some of the more recent attacks against Google (and Facebook's)
customers they believe that active MiTM is actually a real threat, and
would rather not pretend to protect you from it when they aren't, by
using a self-signed certificate that they haven't verified in any way,
even by you presenting it.
Recent MITM attacks have been by entities that are likely to be able to
coerce a CA.
And, given that CA-signed client certs of a low grade are typically
validated with an email confirmation, something that google itself
retains core capabilities in, over & above the CAs, and indeed, the CA's
validation will rely on google's gmail, the logic remains byzantine.
Factory-certs are generally less secure than a self-signed,
self-presented certificate. Indeed, musing aloud, it seems provable.
iang
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
