Now that we have a handful of major certificate authorities like VeriSign and now that broswers come with a bunch of public keys it looks like we have a viable working universal PKI system for SSL and other real work. Say good bye to "Man-in-middle-attacks"! yay!
Seriously, I'm curious what people think about this PKi system and what the attack vectors are to be concerned about. Please tell me if these two attack vectors I've heard of are worrisome.... * You can attack web browser packages in Linux distrubutions. If you can put a fake VeriSign public key in Firefox package you just killed the PKI system right? * You can somehow "fool" a cert authority to give you a public key they should not. (I'm not sure this is much of a threat anymore after bad press about someone getting a Verisign'ed M$ cert IIRC. Perhaps someone thought of clever ways to protect against this?) Chris -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
