Ian G wrote:
> Ah, to clarify, I was sort of assuming they
> wanted the cert for their website. If they
> wanted the cert for email/code signing,
> then that won't be so easy.
More....
"Firstly we have to talk about where this piece of code has to be:
- Many websites run a guestbook that allowes to insert html.
- Some providers allow their users to run a private website at
www.domain.com/user or www.domain.com/~user.
- Some provider give users a subdomain like user.domain.com
- Some ISP don't allow you to access domain.com but only www.domain.com
Secondly we have to think about who might be allowed to change this
index page:
- Some WIKIs allow everyone to change their index page
- Some pages have a newsticker on their index page that can be
updated by normal users (e.g. www.fsi.uni-tuebingen.de)
- Websites are often run by a multimedia/design/... department
that has nothing to do with administration."
... and...
"Many websites run php/cgi/whatever scripts that are vulnerable to
code-injection, and would allow to put the cacert code wherever the
attacker likes to. phpBB comes to mind, and so many other
applications."
--
Best regards,
Duane
http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://happysnapper.com.au - Sell your photos over the net!
http://e164.org - Using Enum.164 to interconnect asterisk servers
"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
