[19302] in cryptography@c2.net mail archive
Re: browser vendors and CAs agreeing on high-assurance certificates
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sun Dec 18 13:59:29 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: "James A. Donald" <jamesd@echeque.com>
Cc: cryptography@metzdowd.com
In-Reply-To: (Your message of "Sun, 18 Dec 2005 09:47:27 PST.")
<43A5302F.24812.6E83E65@localhost>
Date: Sun, 18 Dec 2005 12:52:51 -0500
In message <43A5302F.24812.6E83E65@localhost>, "James A. Donald" writes:
> --
>
>
>Has anyone been attacked through a certificate that
>would not have been issued under stricter security? The
>article does not mention any such attacks, nor have I
>ever heard of such an attack.
>
>If no attacks, this is just an excuse for higher priced
>holy water, an attempt to alter the Browser interface to
>increase revenue, not increase security - to solve the
>CA's problem, not solve the user's problem.
>
The very first phishing attack I ever heard of was for paypa1.com. As
I recall, they did have a certificate.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com