Ka-Ping,
Ka-Ping Yee wrote:
What other way does the average non-technical user have to know that the
secure website is the one truly intended and not a fake, except than to
rely upon a third party to do the verification for them ? Self-signed
certs certainly don't provide any of that type of assurance.
What matters is that the certificate represents the *same* organization
you created the account with, not that the certificate was purchased
from a particular company.
What account or you talking about ?
Using a petname field to label a website is really no different than
assigning names to your IM buddies, which people already do. Why doesn't
impersonation work on IM? [*] Because your buddy list keeps track of who
you know. It can be the same way, and just as easy, with Web browsers.
-- ?!ng
[*] If your IM protocol is not encrypted, you are vulnerable. Compare
apples to apples, though: the analogy is between encrypted IM and
browsing the Web with SSL.
Assuming your IM protocol is encrypted, somehow when your IM client
talks to an IM server, or to an IM peer, it needs to verify the identity
of that server or peer before logging in. Encryption buys you nothing if
your client encrypts to the wrong party.
_______________________________________________
mozilla-crypto mailing list
mozilla-crypto@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-crypto
