[
Lists Home |
Date Index |
Thread Index
]
Rich Salz scripsit:
> > Very true, although eventually those certificates will expire, and then
> > you need a new browser, in which case I've got you.
>
> No, because the old CA can sign a new CA certificate. If I have that, and
> I have the new self-signed certificate, I have a trust path.
Just because I trust CA1, doesn't mean I trust any CAs that they have
perhaps foolishly decided to trust. The exposure of transitive CA trust is
much greater than simple trust.
> CA can just sign something that says "key nnnnnn is the new public key of
> this CA."
Fair enough.
> As for 2617, I dislike the dictionary attack, especially since it uses
> weak user-chosen passwords which are historically easy to guess.
Actually, there is nothing in 2617 that says the passwords must be
user-chosen. On www.reutershealth.com, all passwords are chosen by us,
sent to the user out of band, and forgotten. Unfortunately, we still
have to use basic authentication, but since we hold no privacy-sensitive
data about anyone, we consider that sufficiently secure.
> But given SSL, I don't see a compelling need for it; do you?
It's considerably more lightweight. It isn't always necessary or
commercially sensible to use the strongest grade of protection.
--
John Cowan jcowan@reutershealth.com www.ccil.org/~cowan www.reutershealth.com
I must confess that I have very little notion of what [s. 4 of the British
Trade Marks Act, 1938] is intended to convey, and particularly the sentence
of 253 words, as I make them, which constitutes sub-section 1. I doubt if
the entire statute book could be successfully searched for a sentence of
equal length which is of more fuliginous obscurity. --MacKinnon LJ, 1940
|
