Monoculture
Barney Wolff
barney at databus.com
Wed Oct 1 14:33:17 EDT 2003
On Wed, Oct 01, 2003 at 04:48:33PM +0100, Jill Ramonsky wrote:
>
> But I would like to ask you to clarify something about SSL which has
> been bugging me. Allow me to present a scenario. Suppose:
> (1) Alice runs a web server.
> (2) Bob has a web client.
> (3) Alice and Bob know each other personally, and see each other every day.
> (4) Eve is the bad guy. She runs a Certificate Authority, which is
> trusted by Bob's browser, but not by Bob.
> Is it possible for Bob to instruct his browser to (a) refuse to trust
> anything signed by Eve, and (b) to trust Alice's certificate (which she
> handed to him personally)? (And if so, how?)
The list of trusted certs is part of the browser config, and can be
altered. It would be hard to imagine a browser so badly written as
to hard-code that list. Certainly Mozilla makes it easy (Manage Certs
under Privacy & Security in Edit Preferences) and I've even added
a self-signed server cert under IE with no trouble or inconvenience.
(Yes it did ask whether to accept the site's cert.)
--
Barney Wolff http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list