[18319] in cryptography@c2.net mail archive
Re: Another entry in the internet security hall of shame....
daemon@ATHENA.MIT.EDU (James A. Donald)
Mon Aug 29 09:55:50 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "James A. Donald" <jamesd@echeque.com>
To: <cryptography@metzdowd.com>
Date: Sun, 28 Aug 2005 19:32:25 -0700
In-reply-to: <4312084B.5050208@gmx.co.uk>
--
From: Dave Howe <DaveHowe@gmx.co.uk>
> 2) Google got into the CA business; namely, all
> GoogleMail owners suddenly found they could send and
> receive S/Mime messages from their googlemail
> accounts, using a certificate that "just appeared" and
> was signed by the GoogleMail master cert. Given the
> GoogleMail user base, this could make GoogleMail a
> defacto CA in days.
>
> 3) This certificate was downloaded to your GoogleTalk
> client on login, and NEVER cached locally
>
> Ok, from a Security Professional's POV this would be a
> horror - certificates all generated by the CA (with no
> guarantees they aren't available to third parties) but
> it *would* bootstrap X509 into common usage,
That horse is dead. It is not going into common usage.
SSL works in practice, X509 with CA certs does not work
in practice. People have been bullied into using it by
their browsers, but it does not give the protection
intended, because people do what is necessary to avoid
being nagged by browsers, not what is necessary to be
secure.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
mQ0rM7wYdVTuoeMRUcrpDc1V9pUqhEgUmJMtyCZZ
469u1yKDDCKWaUWwU/LYyE/7CVNRZV7OjXCs+Kyyc
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
