At 11:48 AM 6/21/2002 -0700, Ian Clelland wrote: >The trust model doesn't break down just because anyone can create a >valid X.509 certificate. There still has to be a valid chain of trust >leading back to a trusted party (RSA, in this case). If that trust is >abused, then RSA can revoke your cert and break the chain.
a) it isn't clear to me that RSA would have the right to revoke the organisations certificate; maybe they build it into their license agreement. b) browsers *don't check* the revocation status on certificates, and the field that points to the server for the revocation list is almost never filled in anyway. Greg. Greg Rose INTERNET: [EMAIL PROTECTED] Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199 Level 3, 230 Victoria Road, http://people.qualcomm.com/ggr/ Gladesville NSW 2111 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
