Anders Rundgren wrote:

2. I may be wrong here, but is there actually anything that prevents a low-
assurance certificate issuer to include high assurance policy identifiers?

What about companies selling HA certificates which allow others to actively do man in the middle attacks on others?

While my bug posting (https://bugzilla.mozilla.org/show_bug.cgi?id=294730) was theoretical but more then possible, at least 1 company that shows up in browsers (and verified by webtrust) is actually doing it.

--

Best regards,
 Duane

http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Using Enum.164 to interconnect asterisk servers

"In the long run the pessimist may be proved right,
    but the optimist has a better time on the trip."
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto

Reply via email to