[10124] in cryptography@c2.net mail archive
Re: CFP: PKI research workshop
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Mon Jan 14 21:11:33 2002
To: Carl Ellison <cme@jf.intel.com>
Cc: <cryptography@wasabisystems.com>,
"SPKI Mailing List" <spki@wasabisystems.com>
Reply-To: EKR <ekr@rtfm.com>
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
From: Eric Rescorla <ekr@rtfm.com>
Date: 14 Jan 2002 14:19:51 -0800
In-Reply-To: Carl Ellison's message of "Mon, 14 Jan 2002 14:08:27 -0800"
Message-ID: <kj4rloo9rs.fsf@romeo.rtfm.com>
Carl Ellison <cme@jf.intel.com> writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> At 09:44 AM 1/14/2002 -0800, Eric Rescorla wrote:
> >"Stef Caunter" <stefan.caunter@senecac.on.ca> writes:
> >> Does a user of ssl services care to know absolutely that they are
> >> communicating verifiably with whom they believe they have contacted, or does
> >> the user care to know absolutely that their communication is completely
> >> private?
> >These are inextricably connected. If you want to know that
> >your communications are private in the face of active attack
> >you need to know who you're talking to as well.
>
> Of course you do. That's why https://store.palm.com/ is such a
> problem. You thought you were talking to (and wanted to talk to)
> Palm Computing, just like the logos and page layout said you were.
> You're not. You're talking to a MITM. Palm hired them to run the
> store? The certificates don't say that.
The certificates say EXACTLY that. They say that this entity
is authorized to use the domain name store.palm.com.
-Ekr
--
[Eric Rescorla ekr@rtfm.com]
http://www.rtfm.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
