Re: SSL and certificates

• To: Charlie_Kaufman/Iris.IRIS@iris.com
• Subject: Re: SSL and certificates
• From: Michael Brennen <mbrennen@fni.com>
• Date: Tue, 27 Aug 1996 07:24:49 -0500 (CDT)
• cc: Www-Security@ns2.rutgers.edu
• In-Reply-To: <9608270325.AA5072@moe.iris.com>

On 26 Aug 1996 Charlie_Kaufman/Iris.IRIS@iris.com wrote:

> >  2. Both parties can not be authenticated.
> 
> That's correct.

This is what client certs are about, I believe.  If both sides have a
cert, both sides can be authenticated. 


> >  3. Uninformed users are being lulled into a false sense of security.
> >
> That's probably true.

I would qualify this with adding in how well the ISP and client involved
have done their homework to build as strong an infrastructure as possible.

At least one well advertised national Internet mall advertises its secure
credit card server -- then turns around and emails the CC to the client
unencrypted.  Incredible.  That is the most vulnerable side, as the email
sits on a disk for some period of time where it is the most subject to
being picked off.  This *is* lulling users into false security, and it is
deliberate; I believe they know the security risks involved. 

With a well designed system, including proper PGP key and passphrase
management training to the client, the risks involved can be very greatly
reduced so that the risks are almost certainly lower than any other use of
CCs.

   -- Michael

• Re: SSL and certificates
• From: Jim Ratliff <jim@virtualperfection.com>

• Re: SSL and certificates
• From: Charlie_Kaufman/Iris.IRIS@iris.com

• Previous: Re:browser type queries
• Next: Re: SSL and certificates
• Index(es):
  • Index
  • Thread