SSL, client certs, and MITM (was WYTM?)
Tom Weinstein
tweinst at pacbell.net
Wed Oct 22 18:39:18 EDT 2003
Ian Grigg wrote:
> Nobody doubts that it can occur, and that it *can* occur in practice.
> It is whether it *does* occur that is where the problem lies.
This sort of statement bothers me.
In threat analysis, you have to base your assessment on capabilities,
not intentions. If an attack is possible, then you must guard against
it. It doesn't matter if you think potential attackers don't intend to
attack you that way, because you really don't know if that's true or not
and they can always change their minds without telling you.
--
Give a man a fire and he's warm for a day, but set | Tom Weinstein
him on fire and he's warm for the rest of his life. | tomw at tellme.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list