Re: Question regarding SSL/TLS
- From: Barry Margolin <barmar@xxxxxxxxxxxx>
- Date: Tue, 22 Aug 2006 16:34:12 -0400
In article <4l1580Feb7pcU1@xxxxxxxxxxxxxx>,
Sebastian Gottschalk <seppi@xxxxxxxxx> wrote:
Markus Jansson wrote:
Ofcourse Verisign could sign bogus key for me for
https://www.hushmail.com but why the heck would they do that?
Because they're stupid?
Hint: The signed a key of an unknown, who called in by anonymous phone,
a cert on the company name "Microsoft Corporation". Yes, Class 3, which
normally requires a full identity verification process.
They get more money on publish valid certs than unvalid.
No, they get money for publishing certs. Really doesn't matter if valid
or spoofed.
But their reputation should be based on how well they validate certs
before publishing them. Ideally, browser vendors would not include the
certificates of CAs with bad reputations, and site owners would not
publish their certs through them. And if site owners don't publish
certs through them, they don't get money.
--
Barry Margolin, barmar@xxxxxxxxxxxx
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
.
- Follow-Ups:
- Re: Question regarding SSL/TLS
- From: Sebastian Gottschalk
- Re: Question regarding SSL/TLS
- References:
- Question regarding SSL/TLS
- From: jois . de . vivre
- Re: Question regarding SSL/TLS
- From: Sebastian Gottschalk
- Re: Question regarding SSL/TLS
- From: jois . de . vivre
- Re: Question regarding SSL/TLS
- From: Markus Jansson
- Re: Question regarding SSL/TLS
- From: Ludovic Joly
- Re: Question regarding SSL/TLS
- From: Markus Jansson
- Re: Question regarding SSL/TLS
- From: Sebastian Gottschalk
- Question regarding SSL/TLS
- Prev by Date: Re: Question regarding SSL/TLS
- Next by Date: ** Risk Assessment / C&A consulting
- Previous by thread: Re: Question regarding SSL/TLS
- Next by thread: Re: Question regarding SSL/TLS
- Index(es):
