On Apr 21, 2004, at 21:21, Seth Breidbart quoted someone:
How come SSL certificates in HTTPS transactions can work? Aren't they
reasonably analogous?
No; anybody can generate one. Somebody who wanted billions of valid
ones could just spend a little CPU time.
No, it doesn't work like that. If it did, SSL would be useless.
Sure, I can generate a self-signed SSL certificate, but that's not
going to get me anywhere. See
<URL:http://milliwaysconsulting.net/support/install_ca/mail.app.html>
for example, for discussion of the lengths you have to go to to get
Apple Mail to accept some random person's SSL cert.
I guess the spammers could cold-call Aunt Tillie on the phone and walk
her through the process of importing their self-signed certificate so
that their bogus postage would be accepted, but at least it would slow
them down a bit, eh? And if the postage verification was performed by
her ISP, they'd have to persuade *them* to accept SSL certs signed by
"Nigerian Opt-In Communications Inc." or whatever.
Ask yourself why phishing sites don't use SSL.
mathew
smime.p7s
Description: S/MIME cryptographic signature