In a Network World column, http://www.networkworld.com/community/node/31124 the author writes:
> At Black Hat ‘08 there was a great demonstration of how valid “internal > testing only” FQDN certificates for URLs that you don’t control can be > obtained by anyone asking. The one obtained by the researcher at Black Hat > was for MSFT’s https://login.live.com site, he didn’t disclose the CA that > issued it to him but it was one that was trusted in IE by default. This is, of course, very serious, as it casts doubts on the value of SSL and PKI for all products that use SSL. If we can determine what CA is doing this, I propose we pull them from the trusted CA list immediately. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
