--
On 10 Jun 2003 at 23:26, Anonymous wrote:
In short, if Palladium comes with the ability to download
site-specific DLLs that can act as NCAs, it should allow for
solving the spoofed-site problem once and for all. When you
login to paypal or e-gold, you would authenticate yourself
Steven M. Bellovin wrote:
Let me point folk at http://www.securityfocus.com/news/5654
for a related issue. To put it very briefly, *real* authentication is
hard.
It may be that real authentication is hard, but the unbelievably sloppy
practices of domain name registrars doesn't prove the case.
Matt Crawford [EMAIL PROTECTED] writes:
... Netscrape ind Internet Exploder each have a hack for
honoring the same cert for multiple server names. Opera seems to honor at
least one of the two hacks, and a cert can incorporate both at once.
At 08:20 PM 6/11/2003 -0700, James A. Donald wrote:
I think you have put your finger right on the problem.
Certificates, https, and the entire PKI structure were designed
for an accountless world, but the problem is accounts.
or slightly more accurately doing authentication for accounts. the other
At 03:38 PM 6/11/03 -0600, Anne Lynn Wheeler wrote:
even before e-commerce, the real
BBB process was that people called up the BBB and got realtime information
i.e. it was an online, realtime process.
the equiivalent for an online, internet paradigm (as opposed to something
left over
At 05:47 PM 6/11/03 -0700, Bill Frantz wrote:
To try to reflect some of David's points with a real-world situation. I
was at work, with a brand new installation of PGP. I wanted to send some
confidential data home so I could work with it. However I didn't have my
home key at work, so I didn't
I think you have put your finger right on the problem.
Certificates, https, and the entire PKI structure were designed
for an accountless world, but the problem is accounts.
the other view ... is using a little information theory is that
certificates are stale, static, read-only copy of
At 05:34 PM 6/11/2003 -0700, David Honig wrote:
When I buy $20 of gas with non-bearer credentials (ie, credit card),
the vendor does a real-time check on me. Seems fair/useful to be able
to do same on them. I suppose eBay's feedback suffices... if their
last N feedbacks are negative, I might go
picked up from a ietf pkix mailing list posting:
http://www.garlic.com/~lynn/aadsm14.htm#43
http://www.kablenet.com/kd.nsf/Frontpage/2FBC229CDE8C5A1680256D43004176EA?Op
enDocument
--
Anne Lynn Wheelerhttp://www.garlic.com/~lynn/
Internet trivia 20th anv
--- James A. Donald [EMAIL PROTECTED] wrote:
--
On 11 Jun 2003 at 20:07, Steven M. Bellovin wrote:
Let me point folk at http://www.securityfocus.com/news/5654
for a related issue. To put it very briefly, *real*
authentication is hard.
I don't think so.
Verisign's
http://www.acros.si/papers/session_fixation.pdf
A Jobless Recovery is like a Breadless Sandwich.
-- Steve Schear
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
IE checks the server name against each CN's individually.
I found that by experimentation too. I have VBScript sample on how to generate
such a CSR request for IIS using the CryptoAPI.
Furthermore, IE does not care if the CNs have different domains.
e.g.
12 matches
Mail list logo
