CFP: PKI research workshop
Carl Ellison
cme at jf.intel.com
Mon Jan 14 17:39:52 EST 2002
At 02:19 PM 1/14/2002 -0800, Eric Rescorla wrote:
>> Of course you do. That's why https://store.palm.com/ is such a
>> problem. You thought you were talking to (and wanted to talk to)
>> Palm Computing, just like the logos and page layout said you were.
>> You're not. You're talking to a MITM. Palm hired them to run the
>> store? The certificates don't say that.
>The certificates say EXACTLY that. They say that this entity
>is authorized to use the domain name store.palm.com.
There is no certificate issued by Palm to Modus Media granting it authority to do business in Palm's name. There is only a certificate by VeriSign to the effect that Modus Media has been granted permission to use SSL server authentication for the domain name store.palm.com. Meanwhile, the information that the user really looks at to make a security decision (the Palm logo and the little padlock) aren't related at all.
+--------------------------------------------------------+
|Carl Ellison Intel E: cme at jf.intel.com |
|2111 NE 25th Ave M/S JF3-212 T: +1-503-264-2900 |
|Hillsboro OR 97124 F: +1-503-264-6225 |
|PGP Key ID: 0xFE5AF240 C: +1-503-819-6618 |
| 1FDB 2770 08D7 8540 E157 AAB4 CC6A 0466 FE5A F240 |
+--------------------------------------------------------+
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list