[13743] in cryptography@c2.net mail archive
Re: New toy: SSLbar
daemon@ATHENA.MIT.EDU (Adam Fields)
Mon Jun 30 22:12:38 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 30 Jun 2003 22:04:14 -0400
From: Adam Fields <fields@surgam.net>
To: Mister Lee <mister_lee@metropipe.net>
Cc: cryptography@metzdowd.com
In-Reply-To: <20030626145202.496995F85E@mail.metropipe.net>
On Fri, Jun 27, 2003 at 12:56:24AM +1000, Mister Lee wrote:
> Regarding the usefulness of SSLbar itself, its immediate purpose was
> fingerprint display, as a (theoretically) easy means of checking a cert's
> validity yourself, rather than relying on a third party signing. That list
> of "officially sanctioned CAs" that comes with browsers just keeps getting
> longer and longer. I don't know who the hell any of those organizations are,
> or what their policies are... Anyway, SSLbar could be made much more useful
> if I were to have it (somehow) cache fingerprints or certs, and a flag to
> indicate whether the user has validated them. Implementing this requires
> further investigation however, and I've just been pointed at this list and
> it's archive, so I have some more reading to do :)
Maybe this is a stupid question, but exactly how are you supposed to
use this information to verify a cert? I've done an informal survey of
a few financial institutions whose sites use SSL, and the number of
them that were able to provide me with a fingerprint over the phone
was exactly zero.
--
- Adam
-----
Adam Fields, Managing Partner, fields@surgam.net
Surgam, Inc. is a technology consulting firm with strong background in
delivering scalable and robust enterprise web and IT applications.
http://www.adamfields.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
