browser vendors and CAs agreeing on high-assurance certificates
Steven M. Bellovin
smb at cs.columbia.edu
Sun Dec 18 12:52:51 EST 2005
In message <43A5302F.24812.6E83E65 at localhost>, "James A. Donald" writes:
> --
>
>
>Has anyone been attacked through a certificate that
>would not have been issued under stricter security? The
>article does not mention any such attacks, nor have I
>ever heard of such an attack.
>
>If no attacks, this is just an excuse for higher priced
>holy water, an attempt to alter the Browser interface to
>increase revenue, not increase security - to solve the
>CA's problem, not solve the user's problem.
>
The very first phishing attack I ever heard of was for paypa1.com. As
I recall, they did have a certificate.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list