| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200603162022.k2GKMEeI018547@turing-police.cc.vt.edu> Date: Thu Mar 16 20:50:58 2006 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: HTTP AUTH BASIC monowall On Thu, 16 Mar 2006 15:10:50 EST, Brian Eaton said: > My read of that statement is that Geotrust sees nothing wrong with > their verification process and is not going to take any action to > prevent this from happening again. > > The incentives for the CAs are in all the wrong places. They suffer > no financial harm when they certify a false identity. Instead, they > make a quick buck. It's more subtle than that. Geotrust didn't do *anything* wrong. They issued a cert for www.mountain-america.net to the rightful owners of www.mountain-america.net. There's no reason to raise a flag here, as nothing nefarious has happened. They're not up for a financial hit for certifying a false identity, because they certified the real identity correctly, as per their procedures. There's little to nothing that Geotrust can do about the fact that after they properly certified mountain-america.net, it turned around and pretended to be mntamerica.net. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 228 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060316/e73a511c/attachment.bin
Powered by blists - more mailing lists