[6182] in cryptography@c2.net mail archive
Re: Thawte "SuperCerts"
daemon@ATHENA.MIT.EDU (EKR)
Thu Dec 2 16:13:31 1999
To: "Steven M. Bellovin" <smb@research.att.com>
Cc: "Marcus Leech" <mleech@nortelnetworks.com>,
Radia Perlman - Boston Center for Networking <Radia.Perlman@east.sun.com>,
cryptography@c2.net
From: EKR <ekr@rtfm.com>
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
Date: 01 Dec 1999 20:40:02 -0800
In-Reply-To: "Steven M. Bellovin"'s message of "Wed, 01 Dec 1999 21:34:06 -0500"
Message-ID: <kjr9h6ez19.fsf@romeo.rtfm.com>
"Steven M. Bellovin" <smb@research.att.com> writes:
> In message <kjvh6if9pg.fsf@romeo.rtfm.com>, EKR writes:
>
> > I'm assuming it's compiled into the code, since if it were in the
> > cert database, it could be tampered with.
>
> Sure -- just like Fortify can't exist...
Fair enough.
I would have kind of expected the Netscape and MS programmers
to make at least a token attempt to prevent this sort of attack,
but you do have a point.
-Ekr
--
[Eric Rescorla ekr@rtfm.com]
PureTLS - free SSLv3/TLS software for Java
http://www.rtfm.com/puretls/
