Carl Ellison <[EMAIL PROTECTED]> writes: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > At 09:44 AM 1/14/2002 -0800, Eric Rescorla wrote: > >"Stef Caunter" <[EMAIL PROTECTED]> writes: > >> Does a user of ssl services care to know absolutely that they are > >> communicating verifiably with whom they believe they have contacted, or does > >> the user care to know absolutely that their communication is completely > >> private? > >These are inextricably connected. If you want to know that > >your communications are private in the face of active attack > >you need to know who you're talking to as well. > > Of course you do. That's why https://store.palm.com/ is such a > problem. You thought you were talking to (and wanted to talk to) > Palm Computing, just like the logos and page layout said you were. > You're not. You're talking to a MITM. Palm hired them to run the > store? The certificates don't say that. The certificates say EXACTLY that. They say that this entity is authorized to use the domain name store.palm.com.
-Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]