Eddy Nigg (StartCom Ltd.) wrote: > Gervase Markham wrote: >> When Verisign issues a bogus certificate -- as it has in several cases -- >> >> Do you have a list, with references? I know about the MS code-signing >> certs, but no other cases. >> >> > http://www.benedelman.org/news/020305-1.html > http://www.benedelman.org/spyware/images/installers-020305.html
Technically they weren't bogus certificates, they were dubious in nature, but not bogus. This is another area that EV will fail unless this type of attack is considered and properly dealt with... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://e164.org - Because e164.arpa is a tax on VoIP "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
