Monoculture

[Dave Howe]

Jill Ramonsky wrote:
> This seems to me to a /serious/ flaw in the design of MSIE. What if
> Alice doesn't /have/ a CA because she can't afford their fees?
Alice can be her own CA if she wishes to - all you need is a copy of
Openssl or, if you like having gui interfaces, XCA
(http://sourceforge.net/projects/xca/) both of which are free.

> (or she
> doesn't trust them, or for any other reason you might care to think
> of). In fact, if I've understood this correctly, if Alice uses MSIE,
> she
> can't even tell her browser to trust her own website, despite being in
> possession of not only her own public key, but her own secret key as
> well! What is it with MSIE that it would prefer to trust someone other
> than Alice about the authenticity of Alice's site !!!???
she can so inform MSIE - marking the key as trusted the first time she
"sees" it in IE, or importing the CA key from openssl/xca

> Okay guys - _this is a serious question_. Alice has a web site. Alice
> has a web browser which unfortunately happens to be MSIE. Alice wishes
> to view Alice's web site using Alice's browser (which is not on the
> same machine as the server). Alice does not wish to trust ANYONE
> else, but
> she does trust herself absolutely. How does she get the browser to
> display the padlock?
she creates her own ssl server key, then either manually imports it into
IE (simply a case of double-clicking it!) or marks it as trusted the first
time she connects to her ssl server.


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com