On Wed, 20 Jun 2001 15:58:48 MDT, Vernon Schryver <[EMAIL PROTECTED]>  said:
> > From: Adam Shostack <[EMAIL PROTECTED]>
> 
> > ...
> > Yes.  I made a point of saying "The threat under discussion is that
> > there is a proxy modifying content..." because this discussion started
> > with OPES.  In that particular case, where random people might
> > approach your website, you want to send them content that is
> > authenticated, and there is no out-of-band channel, then you don't have a
> > way to send them a certificate reliably.
> 
> There is no creditable threat that OPES or OPES-like mechanisms would
> filter, replace, or modify my or anyone's certificates.  It is silly
> to imply that AOL might use something like OPES to defeat the distribution
> of certificates that would wreck SMTP interception proxies like AOL's.

I think you misread this - what Adam *meant* was that without a workable
low-cost PKI system, or other means of distributing certificates, the
person at the other end doesn't have a certificate to verify that an OPES-class
mechanism hasn't done something ELSE to the bits.

If I create a self-signed CA to protect my personal website on my
computer, how do you get the certificate so you can verify that an OPES
hasn't translated my text into an obscene poem in kanji?   That's
the threat model here....

/Valdis

Reply via email to