Anders Rundgren wrote:
2. I may be wrong here, but is there actually anything that prevents a low- assurance certificate issuer to include high assurance policy identifiers?
What about companies selling HA certificates which allow others to actively do man in the middle attacks on others?
While my bug posting (https://bugzilla.mozilla.org/show_bug.cgi?id=294730) was theoretical but more then possible, at least 1 company that shows up in browsers (and verified by webtrust) is actually doing it.
-- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
