Bob is 100% correct on this. Basically, it is a perfect example of why
VeriSign is a Very Bad Thing (TM). Of course, being owned by Network
Associates hasn't done them a whole lot of good. The only proof that they
require to create a new cert is the companies ID number, which you can look
up on the web. Basically, you can create a digital cert for any company out
there, if you want to shell out the $975.
I really don't see this as being all that big of a threat to anyone except
for Microsoft. A few courts have upheld that digital signatures are legally
binding. Therefore, if this cert was used in any form of agreement, then
Microsoft could be held liable for the cost of that agreement. Of course,
I'm sure that they would just turn around and sue VeriSign, as well as
raise their prices to recover the loss ;-)
C-Ya,
Kenny
At 10:28 AM 3/23/01 -0500, Bob Bell wrote:
>On Fri, Mar 23, 2001 at 08:26:38AM -0500, Taylor, Chris <[EMAIL PROTECTED]>
>wrote:
> > Just for those of you who have not seen the bulletin, there is yet another
> > reason to look towards Linux.
>
> My understanding is that this has nothing to do with Microsoft
>Windows. This will likely only affect you if you go to a website, and
>your web browser ask you if you want to accept a certificate. Since it
>says "signed by Microsoft Corporation", you might be more inclined to
>say "yes". However, here the certificate actually belongs to a
>third-party, and could conceivably be signing malicious code.
>
> This is not related to MS Windows. The error here was made by
>VeriSign, not Microsoft, who was tricked into believing that the
>individual who registered the certificate was an authorized Microsoft
>employees. The only thing that one could possibly blame Microsoft for
>is that Internet Explorer doesn't automatically check to see if a
>certificate has been revoked by VeriSign. However, I'm not sure if any
>other browsers do, either. It may also be true that these certificates
>are limited to ActiveX controls, but they just as well could have been
>issued for other purposes.
>
>--
>Bob Bell <[EMAIL PROTECTED]>
>-------------------------------------------------------------------------
> "Parentheses in Perl are like shoes in the Caribbean."
> -- Larry Wall, creator of the Perl programming language
>
>**********************************************************
>To unsubscribe from this list, send mail to
>[EMAIL PROTECTED] with the following text in the
>*body* (*not* the subject line) of the letter:
>unsubscribe gnhlug
>**********************************************************
-------------------------------------------------
Kenneth E. Lussier
Geek by nature, Linux by choice
PGP KeyID 0xD71DF198
Public key available @ http://pgp.mit.edu
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
