Chris Shiflett wrote:
> Richard,
>> Do you really believe that for $200 (or $119, or $500) that they "proven"
>> themselves trustworthy?

LOL no, I don't. As a matter of fact crooks usually have more money in 
their pockets than honest people do, so it's highly possible that a 
crook will pay the money while the innocent will save his last cent :))

> Now you've changed from "secure" to "secure from snooping." Notice the 
> difference? It is significant. Like I said before, encrypting the 
> transmission is useless by itself. To put it plainly:
> encryption != security
> What if you trust your friend who owns safeplace.org, and you want to do 
> business with him? Maybe you visit his site and enter a credit card 
> number somewhere. Thankfully, you notice that the lock icon is showing, 
> and that he is using SSL. With this warped idea of SSL where encryption 
> is all that counts, what if you find out that you're not really on 
> safeplace.org? You're really at evilcriminal.org, and he has a virtual 
> domain setup for safeplace.org. Also, he generated his own certificate 
> for safeplace.org using his own CA (good thing there was not C&A process 
> to undergo). So you have now sent the evil criminal your credit card 
> number because you trusted his domain name. Good thing it's secure, right?

So, let's see if I got you right:

   1) SSL just says we our packets are difficult to open, that is,
      they are encrypted. Nothing more

   2) Our packets are difficult to open but they are totally open
      to Uncle Sam's control software, as the RSA thingy cannot
      shield them from "governmental inspection", which makes sense
      if you are writing software for an american citizen but
      it's pretty annoying if your customer is from somewhere else.

   3) A key is nothing more than a negotiation token, a mere building
      brick that is used to fire the process.

   4) the "trust" you buy is something like a fixed IP number, that is
      the guys in the major do certify that you *are* who you pretend
      to be.

   5) If the one I am pretending to be is a criminal, being trusted by
      Verisign (or whoever in their place) won't make any difference.
      Their "license" just means that you are really dealing with those
      you think you are dealing with and that they do bear legal
      responsibility for whatever will happen in the transaction.
      Again, legal action will eventually have different
      results depending on where the trusted company is based, since
      not all countries have the same normative set. But that has
      nothing to do with the SSL protocol in itself.

Now, there's a question regarding point 4). What if someone from 
gets the certified key pair and hands it over to some crook outside the 
company? I hope this is not just as easy as it sounds (the key pairs 
will probably check something in the environment before starting to 
shout "YEAAAH!! IT'S MEEE!!!") but still...

As for point 2), please get me right. I have my own political opinions 
as anybody
else, but my concern here is a professional one, since my customers are 99%
not americans. Small-mid sized companies (including mine) usually do not 
give a
damn about having their messages read by american eyes (we are simply 
not worth the trouble of looking in our archives) but large companies 
and Govt. organizations are *much* less indifferent to the subject, and 
I guess it's understandable, they want their privacy to be for real.




LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu?
lOrD i'M sHiNiNg...
YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is.......

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to