CFP: PKI research workshop

D. A. Honig dahonig at home.com
Tue Jan 15 09:16:45 EST 2002


At 01:59 PM 1/14/02 -0800, Eric Rescorla wrote:
>Saying that SSL without certificates is fine as long as you
>don't have active attacks is kind of like saying that leaving
>your front door open is fine as long as noone tries to break
>in.

No, its more.  SSL sans certs is like using envelopes to write to
Dear Abby.  You have no authentication on who Dear Abby 
"really is" but your communications are private.

Since the entity who claims to be Dear Abby also gives
a communications address, writing to Dear Abby at that 
address is sufficient. (Modulo MIM attacks)

[Moderator's note: Except that's precisely the point: "Modulo MIM
attacks" is like saying "we're all immortal, modulo death". The
question isn't some sort of mystification of identity -- it is being
able to know that you're talking to the same "Dear Abby" your friends
have talked to and that you talked to last week. Now that MIM attacks
have been automated they don't even need sophistication to conduct. --Perry]

When you call a phone number listed with an advert, 
and give them your credit card number, you have less
confidentiality (you're speaking plaintext), but its the same model.





---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list