[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PGP, Inc.



Tim Dierks wrote:
> 
> The only effort they make is that when using the email-based CA, it mails
> the certificate to the address within, so it's not trivial to get a cert
> for an address that you don't have access to. (I'm not saying it's
> impossible, or even hard, just that it requires some skill and effort).

For example, see http://www.digicrime.com/id.html . I believe they got
these certificates using the Web, rather than e-mail.

I think with e-mail, you'd actually have to be running a packet sniffer
or doing an active attack such as DNS spoofing. However, the Web is
much, much more convenient.

In any case, the page I referenced above is worthwhile reading.

Raph