that), are not more people
jumping up and
down yelling that it is being used incorrectly?
Am I missing something obvious here? I look forward to any comments you might have.
-- Tom Otvos
Don't think you are. Know you are. - Morpheus
So what purpose would client certificates address? Almost all of the use
of SSL domain name certs is to hide a credit card number when a consumer
is buying something. There is no requirement for the merchant to
identify and/or authenticate the client the payment infrastructure
Nobody doubts that it can occur, and that it *can*
occur in practice. It is whether it *does* occur
that is where the problem lies.
Or, whether it gets reported if it does occur.
The question is one of costs and benefits - how much
should we spend to defend against this attack? How