mathew <meta(_at_)pobox(_dot_)com> wrote:
On Apr 21, 2004, at 21:21, Seth Breidbart quoted someone:
How come SSL certificates in HTTPS transactions can work? Aren't they
reasonably analogous?
No; anybody can generate one. Somebody who wanted billions of valid
ones could just spend a little CPU time.
No, it doesn't work like that. If it did, SSL would be useless.
No, SSL encrypts.
Sure, I can generate a self-signed SSL certificate, but that's not
going to get me anywhere.
It does for a number of stores I shop at.
After all, what value does having a certificate signed by Verisign
actually provide? If it turns out to be bogus and you lose money,
will Verisign compensate you? Does Verisign have any actual
responsibility to you, the truster of a certificate they issued?
Or do you just like the assurance that "This certificate was issued by
somebody who paid (somebody who paid)* to have a root certificate
pre-implanted in my browser"?
Ask yourself why phishing sites don't use SSL.
Why should they bother? Would it increase their success ratio?
Seth
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg