[14699] in cryptography@c2.net mail archive
Re: SSL, client certs, and MITM (was WYTM?)
daemon@ATHENA.MIT.EDU (Tom Weinstein)
Wed Oct 22 18:45:04 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 22 Oct 2003 15:39:18 -0700
From: Tom Weinstein <tweinst@pacbell.net>
To: iang@systemics.com
Cc: tom.otvos@rogers.com, cryptography@metzdowd.com
In-Reply-To: <3F96E993.1B939B5D@systemics.com>
Ian Grigg wrote:
> Nobody doubts that it can occur, and that it *can* occur in practice.
> It is whether it *does* occur that is where the problem lies.
This sort of statement bothers me.
In threat analysis, you have to base your assessment on capabilities,
not intentions. If an attack is possible, then you must guard against
it. It doesn't matter if you think potential attackers don't intend to
attack you that way, because you really don't know if that's true or not
and they can always change their minds without telling you.
--
Give a man a fire and he's warm for a day, but set | Tom Weinstein
him on fire and he's warm for the rest of his life. | tomw@tellme.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
