On 2012-12-18 1:25 AM, CodesInChaos wrote:
One could require the user to specify/confirm a certificate
fingerprint on gmail in such a case. That way you're MitM proof, even
with a self signed certificate.
Who is the real you? Well, obviously the you that knows the gmail password.
Therefore, password should no be communicated in the clear. Gmail
should not care whether you have a validly signed certificate, but you
should care whether gmail has a validly signed certificate, and that it
has the usual signature.
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
