Frank Hecker wrote: > Per my above comments, if I do end up going to this meeting with Gerv, > don't expect to see me publishing a detailed report on any discussions. > However if I have time in the next few weeks I will post any relevant > thoughts I have in reference to the general issues discussed, based on > public information available to me or anyone else.
While you have some fair points, I have to respectfully disagree with your last one. This is being touted as representative of the CA and browser communities/vendors, when I'm guessing it's only encompassing a very finite view of security based around monetary value of it alone. As pointed out in the past (by yourself as well), browser SSL/TLS security extends beyond credit card payments alone... Actually this reminds me of a point for Gerv, when will mozilla products warn about potential man in the middle attacks when certificate fingerprints change? Because at present Verisign has the potential to actively man-in-the-middle any SSL website out there. They control both the DNS infrastructure as well as having their root certificates in all the browsers, so could easily redirect DNS to a proxy server with an alternate SSL certificate and capture traffic till their hearts content. -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
