Re: Opinions of Digital Signing of Email & Encryption

From: S. Pidgorny [MVP] (slavickp@yahoo.com)
Date: 06/07/02


From: "S. Pidgorny [MVP]" <slavickp@yahoo.com>
Date: Fri, 7 Jun 2002 18:42:53 +1000


Hi Kent:

"Kent W. England [MVP]" <kwe@mvps.org> wrote in message
news:uFUa7AXDCHA.1064@tkmsftngp04...

> I recall a recent incident where Verisign gave a Microsoft certification
> to some hackers who then briefly distributed software, IIRC. The hackers
> cracked the Verisign administration. Any user would have had absolutely
> no way of knowing (outside of out-of-band channels such as the mass
> media) that the certificate was bad, since it wasn't.

http://www.microsoft.com/technet/security/bulletin/MS01-017.asp

> There is absolutely no reason to trust Verisign. I prefer the PGP web of
> trust model, since I can build and maintain that myself. But we can have
> both.

PKI is robust solution for centrally controlled enterprises. Centralised
root gives us convenience, but you can implement the same practices for
X.509 PKI as for PGP: just build the list of your trusted peers manually,
don't allow for authomatic trust. Anyway, GPG is here to stay :)

--
Svyatoslav Pidgorny, MS MVP, MCSE
-= F1 is the key =-


Relevant Pages

  • Re: Huge discrepancy in "standards" of risk evaluation for theory vs. for practice in cryptology
    ... site's Verisign cert, or its Thawte cert, or its Hells Angels cert, ... Assume you have a certain amount of trust in an e-commerce vendor. ... CA issued the certificate for that e-commerce vendor) and avoid the ...
    (sci.crypt)
  • Re: Opinions of Digital Signing of Email & Encryption
    ... consider the administration, as always, before you get a clear picture. ... I recall a recent incident where Verisign gave a Microsoft certification ... There is absolutely no reason to trust Verisign. ... >> way that the keys are stored, delivered, recovered, and repudiated, ...
    (microsoft.public.security)
  • Re: Has anyone really cracked anything recently?
    ... Well, Microsoft trusted them, and given how much Microsoft stood to lose ... Verisign _did_ screw up, ... For higher security, I've always preferred PGP instead, as I don't need ... or trust a third party to manage any part of my key structure. ...
    (sci.crypt)
  • Re: Certificates
    ... After Verisign's parent company, Network Solutions, ... trust Verisign. ... to NOT use anything based on Verisign. ... since they have a virtual monolopy on commercial public certificates. ...
    (microsoft.public.cert.exam.mcse)