Another entry in the internet security hall of shame....
James A. Donald
jamesd at echeque.com
Sun Aug 28 22:32:25 EDT 2005
--
From: Dave Howe <DaveHowe at gmx.co.uk>
> 2) Google got into the CA business; namely, all
> GoogleMail owners suddenly found they could send and
> receive S/Mime messages from their googlemail
> accounts, using a certificate that "just appeared" and
> was signed by the GoogleMail master cert. Given the
> GoogleMail user base, this could make GoogleMail a
> defacto CA in days.
>
> 3) This certificate was downloaded to your GoogleTalk
> client on login, and NEVER cached locally
>
> Ok, from a Security Professional's POV this would be a
> horror - certificates all generated by the CA (with no
> guarantees they aren't available to third parties) but
> it *would* bootstrap X509 into common usage,
That horse is dead. It is not going into common usage.
SSL works in practice, X509 with CA certs does not work
in practice. People have been bullied into using it by
their browsers, but it does not give the protection
intended, because people do what is necessary to avoid
being nagged by browsers, not what is necessary to be
secure.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
mQ0rM7wYdVTuoeMRUcrpDc1V9pUqhEgUmJMtyCZZ
469u1yKDDCKWaUWwU/LYyE/7CVNRZV7OjXCs+Kyyc
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list