[14373] in cryptography@c2.net mail archive
Re: Monoculture
daemon@ATHENA.MIT.EDU (Dave Howe)
Wed Oct 1 14:53:35 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Dave Howe" <DaveHowe@gmx.co.uk>
To: "Email List: Cryptography" <cryptography@metzdowd.com>
Date: Wed, 1 Oct 2003 19:30:06 +0100
Jill Ramonsky wrote:
> Is it possible for Bob to instruct his browser to (a) refuse to trust
> anything signed by Eve, and (b) to trust Alice's certificate (which
> she handed to him personally)? (And if so, how?)
>
> I am very much hoping that you can answer both (a) and (b) with a yes,
ok then "yes" :)
What it comes down to is a browser will trust any certificate either
a) explicitly marked as trusted or
b) signed by a root CA in its root certificate store
so the correct procedure for (a) is for bob to delete eve's root
certificate from his root store.
for (b) he can either explicitly mark Alice's cert as accepted, or
(technically more interesting) if he trusts her as "introducer" add her
root cert - which is the same thing if she self-signed her cert - to his
root store, so that *any* cert she signs is accepted.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
