Re: [Asrg] Re: the e-postage argument

[mathew <meta at pobox.com>]

On Apr 22, 2004, at 23:07, Seth Breidbart wrote:
> mathew <meta@pobox.com> wrote:
> > On Apr 21, 2004, at 21:21, Seth Breidbart quoted someone:
> > > > How come SSL certificates in HTTPS transactions can work? Aren't 
> > > > they
> > > > reasonably analogous?
> > > No; anybody can generate one.  Somebody who wanted billions of valid
> > > ones could just spend a little CPU time.
> > No, it doesn't work like that. If it did, SSL would be useless.
> No, SSL encrypts.
SSL with certificates can also authenticate, and that's the kind of 
functionality that's needed for e-postage.

> > Sure, I can generate a self-signed SSL certificate, but that's not
> > going to get me anywhere.
> It does for a number of stores I shop at.
>
> After all, what value does having a certificate signed by Verisign
> actually provide?
It provides assurance that the system you are connecting to is one 
approved by Verisign.

So, what value does e-postage signed by Verisign have? Well, it might 
hypothetically have the value that Verisign will redeem it for cash.

Now, I notice you deleted my challenge, so let me re-state it. If you 
think SSL certificates are worthless and easily bypassed, let's see you 
generate one which my browser will accept without throwing up a warning 
that it's bogus.

> > Ask yourself why phishing sites don't use SSL.
> Why should they bother?  Would it increase their success ratio?
It would if they could get the certificate to be accepted without any 
warning, the connection to show as secure, and the certificate to state 
that they really are the institution they're pretending to be. If they 
could do that, they might fool people like me. But they can't, which is 
the entire point.


mathew


_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg