[14374] in cryptography@c2.net mail archive
Re: Monoculture
daemon@ATHENA.MIT.EDU (Barney Wolff)
Wed Oct 1 14:54:15 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 1 Oct 2003 14:33:17 -0400
From: Barney Wolff <barney@databus.com>
To: Jill Ramonsky <Jill.Ramonsky@aculab.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <3F7AF751.90601@aculab.com>
On Wed, Oct 01, 2003 at 04:48:33PM +0100, Jill Ramonsky wrote:
>
> But I would like to ask you to clarify something about SSL which has
> been bugging me. Allow me to present a scenario. Suppose:
> (1) Alice runs a web server.
> (2) Bob has a web client.
> (3) Alice and Bob know each other personally, and see each other every day.
> (4) Eve is the bad guy. She runs a Certificate Authority, which is
> trusted by Bob's browser, but not by Bob.
> Is it possible for Bob to instruct his browser to (a) refuse to trust
> anything signed by Eve, and (b) to trust Alice's certificate (which she
> handed to him personally)? (And if so, how?)
The list of trusted certs is part of the browser config, and can be
altered. It would be hard to imagine a browser so badly written as
to hard-code that list. Certainly Mozilla makes it easy (Manage Certs
under Privacy & Security in Edit Preferences) and I've even added
a self-signed server cert under IE with no trouble or inconvenience.
(Yes it did ask whether to accept the site's cert.)
--
Barney Wolff http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
