New toy: SSLbar
Adam Fields
fields at surgam.net
Mon Jun 30 22:04:14 EDT 2003
On Fri, Jun 27, 2003 at 12:56:24AM +1000, Mister Lee wrote:
> Regarding the usefulness of SSLbar itself, its immediate purpose was
> fingerprint display, as a (theoretically) easy means of checking a cert's
> validity yourself, rather than relying on a third party signing. That list
> of "officially sanctioned CAs" that comes with browsers just keeps getting
> longer and longer. I don't know who the hell any of those organizations are,
> or what their policies are... Anyway, SSLbar could be made much more useful
> if I were to have it (somehow) cache fingerprints or certs, and a flag to
> indicate whether the user has validated them. Implementing this requires
> further investigation however, and I've just been pointed at this list and
> it's archive, so I have some more reading to do :)
Maybe this is a stupid question, but exactly how are you supposed to
use this information to verify a cert? I've done an informal survey of
a few financial institutions whose sites use SSL, and the number of
them that were able to provide me with a fingerprint over the phone
was exactly zero.
--
- Adam
-----
Adam Fields, Managing Partner, fields at surgam.net
Surgam, Inc. is a technology consulting firm with strong background in
delivering scalable and robust enterprise web and IT applications.
http://www.adamfields.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list