- From: Ben Laurie <ben@algroup.co.uk>
- Date: Mon, 14 Jun 1999 18:49:39 +0100
- To: Steve Parker <sparker@well.com>
- CC: 'Alex Kodat' <ALEX@sirius.sirius-software.com>, hallam@ai.mit.edu, http-wg@hplb.hpl.hp.com
Steve Parker wrote:
>
> Unfortunately, there are problems with certificate security.
> Shamir recently demonstrated how easy it is find the private key
> in a PC because of different entropy of the objects.
Err? And who leaves their private key lying around unencrypted?
> Also, how can I be sure that the "client" serving up the
> certificate is the endpoint? A toolkit like WIDL would appear to
> provide a screen scraping capability for http which effectively
> creates a potential proxy, of which I, at the server end have
> no knowledge. Even if I have a cryptographically secure tunnel,
> and have a certificate, how do I know that someone hasn't added
> their own plumbing to the client?
Why do you care?
> There are times when it pays to use both belt and suspenders ...
> and even that may not be enough.
What were you planning to add to certs+crypto to make it more secure?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
Received on Monday, 14 June 1999 10:54:43 UTC