--
On 3 Sep 2002 at 11:16, Meyer Wolfsheim wrote:
> I encourage everyone to send Bill Gates an email from
> himself.  =)
>
> =============================================================
> ========= ==== Vendor Notification Status
>
> Microsoft knows about this, of course, but "isn't even sure
> whether to call this a 'vulnerability'."  Right.

While the immediate bug is in Microsoft IE and Outlook, this
exploit is also a reflection of the contorted mess that is the
certificate structure and the public key infrastructure, and of
the fact that Verisign is not doing its job.  (This exploit
only works if one starts with a legitimate verisign certificate
for a web site, it does not work if one starts with a
legitimate Thawte certificate.)

Microsoft unambiguously screwed up, but the infrastructure made
it easy to screw up, and difficult and expensive to get things
right. 

    --digsig
         James A. Donald
     6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
     2S6sg825yJSZ69s23KyOvpaHYYQYbgoRuPl2j1JZ
     24hZwF+YmQMFl2hK8LOkiesmNrg+xJ0ZdA1qPUzQU

Reply via email to