lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 15 Feb 2005 14:48:38 -0800
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: "bkfsec" <bkfsec@....lonestar.org>
Cc: "Vincent Archer" <var@...y-all.com>, <bugtraq@...urityfocus.com>,
	"Scott Gifford" <sgifford@...pectclass.com>,
	"David Schwartz" <davids@...master.com>
Subject: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.


>> Of course the CA has to gain the trust of the users... There are many
>> uses for client-based certificates: code signing, user verification,
>> email encryption, automatic mapping of user account to personal
>> certificates, blah blah blah.  The business model of commercial CA's is
>> most certainly not limited to server operators only.   While personal
>> certificate stores come with pre-trusted root certificates from many CA's
>> to automatically trust many server-based functions, there is a vast
>> market for client certs.
>>
> Yes, and how many average users do you know of who know this?
>
> I know quite a number of average users and know of absolutely 0 who would
> be aware of this.

The number of people that you know (or who I know) that are aware of the 
uses for client
certificates is not what drives commercial certificate authority business
models.   The simple fact of the matter is that user-level certificates are 
an important part of the commercial certificate authority plan, and becoming 
more and more so as your "average" users become aware of certificate 
applications.

When I got my NIC handle untold years ago, only 561 other humans had one. 
Your logic would preclude getting one in the first place, since no one knew 
they existed at the time.  When SSL certs were first being created 
commercially, how many server operators did you know that had one?  How many 
do you know now?  It's the same thing with client certs, and the logic 
stands that certificate applications apply to them as well; particularly in 
regard to the business and marketing models various certificate authorities 
are running their business by.  That was the point.

t

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ