Duane wrote:
Those banking/fund protections may apply in some cases in the USA, but they certainly don't always in other countries. If someone steals your credit card number in France, you may still be liable. So SSL security plays a much more important role than you think. I know this from experience.
What if they steal your credit card, not because of the certificate, but because of weak security in protecting it in storage?
You would still be liable too.
Security is after all about the weakest link, what point is there auditing CAs if you don't audit the hosts interacting with finacial information after you send it over the net?
The point in auditing the CAs is that it's better than not auditing the CAs at all.
Certainly other attacks exist, but attacks on certificates are one type of attacks that is possible. I agree that indeed Mozilla should be reviewed for all types of attacks, not just crypto/certificates attacks, but not that we should ignore crypto/certificates attacks.
And how often has it happened I think you'll find is his point, not often if at all, they don't need to use ssl, just look at how much money is lost every year to 419'ers
If that's his point, then I completely disagree with it. Just because every other part of Mozilla does security reviews wrong (or not at all) doesn't mean we also should do the same for the NSS and other security components of Mozilla.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
