Hello all,
Sunday, February 24, 2008, Thomas Fernandez wrote:

> Not I "must". I "should". And if I don't do it, I must live with the
> consequences. I "must not" be nannied by my email program - especially
> since other email programs don't nanny the user. They give a pop-up
> warning and then let the user accept the expired certificate if he so
> chooses. Please don't treat me like a child, I know what I'm doing.

I am against "such" security, if You accept security, You should accept
its policy.

For example from RFC2246

F.1.1. Authentication and key exchange

   TLS supports three authentication modes: authentication of both
   parties, server authentication with an unauthenticated client, and
   total anonymity. Whenever the server is authenticated, the channel is
   secure against man-in-the-middle attacks, but completely anonymous
   sessions are inherently vulnerable to such attacks.  Anonymous
   servers cannot authenticate clients. If the server is authenticated,
   its certificate message must provide a valid certificate chain
   leading to an acceptable certificate authority.  Similarly,
   authenticated clients must supply an acceptable certificate to the
   server. Each party is responsible for verifying that the other's
   certificate is valid and has not expired or been revoked.

-- 

Bye

Marek Mikus
Czech support of The Bat!
http://www.thebat.cz

Using the best The Bat! 4.0.14.5
under Windows XP 5.1 Build 2600 Service Pack 2
with MyMacros,XMP,AnotherMacros, NOD32 Antivirus plugin and AntispamSniper v 
2.7.1.7

Notebook Toshiba, Core2 Duo 1.83 GHz, 1 GB RAM


 



________________________________________________________
 Current beta is 4.0.14.4 | 'Using TBBETA' information:
http://www.silverstones.com/thebat/TBUDLInfo.html

Reply via email to