[OT] Trusting X.509 certificate

MFPA expires2013 at ymail.com
Tue Apr 16 21:44:24 CEST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Tuesday 16 April 2013 at 10:50:36 AM, in
<mid:516D1EEC.8050205 at digitalbrains.com>, Peter Lebbing wrote:


> Everything the certificate "says" is under attacker
> control when they redirect the HTTPS session to their
> own system[1].

Which is why I also suggested searching other sources of information
for comparison.



> You need to find a trust path based on
> cryptographic signatures, not on what the Subject and
> Issuer fields and what not say in the certificate.

Ideally. But I would suggest the necessity depends on the intended use
of (or interaction with) the site.

To register an email address on a mailing list, I would probably spend
practically zero time checking.


- --
Best regards

MFPA                    mailto:expires2013 at ymail.com

I think not, said Descartes, and promptly disappeared
-----BEGIN PGP SIGNATURE-----

iQCVAwUBUW2qK6ipC46tDG5pAQqiiwP+OWETvT8Y/3+L2ApSJAmKmaSWgXWCgeOJ
C4kk6JSnTWGowx6whZLDXmGpCMHpL5Isi6Mbalmj4/iDq6tyeQVgXWYHnixy5U/3
jTVnOiUIjRIQWQ5QPVWhoQRjoRZ/cVqkd+2m85W0UFn22O7GaAdj/M7all+Av7nz
UUdHeImAJdg=
=bm7k
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list