Carl Ellison <[EMAIL PROTECTED]> writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> At 09:44 AM 1/14/2002 -0800, Eric Rescorla wrote:
> >"Stef Caunter" <[EMAIL PROTECTED]> writes:
> >> Does a user of ssl services care to know absolutely that they are
> >> communicating verifiably with whom they believe they have contacted, or does
> >> the user care to know absolutely that their communication is completely
> >> private?
> >These are inextricably connected. If you want to know that
> >your communications are private in the face of active attack
> >you need to know who you're talking to as well.
>
> Of course you do. That's why https://store.palm.com/ is such a
> problem. You thought you were talking to (and wanted to talk to)
> Palm Computing, just like the logos and page layout said you were.
> You're not. You're talking to a MITM. Palm hired them to run the
> store? The certificates don't say that.
The certificates say EXACTLY that. They say that this entity
is authorized to use the domain name store.palm.com.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
