Consider the case where I come across a new SSL site for an online entity. The site is interesting, so I create a new account and simultaneously assign a petname. From that moment forward, I know that I am interacting with the same site I first created the account with. Now, if the thing of value is my password, what does it mean to say the initial connection was spoofed? Who was it that I found interesting?
As a sidenote: this is precisely the argument advanced by those who say that domain-validated certs are all that's necessary.
Gerv _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
