Basically PKI in this situation is not worth risking your life on and I'd suggest to your friend to use self signed certificates and verify the fingerprint by phone to the person that issues it and dump all other certificates from the browser used for communications...
So, when security really matters, you'd tell people to drop the time proven security methods, and fall back on ad-hoc methods that they probably don't understand fully. Do I have that right?
/Nelson
P.S. Greetings on the 6th anniversary of the opening of the mozills source code.
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
