Kyle, Kyle Hamilton wrote: > Mary and Mallory may not be the same control. > > Mary has a site with a cert with AIA. Mallory can take control over > that location for the AIA, without Mary being able to do a thing to > stop it.
If Mallory was able to replace Mary's cert with a fake one, then they effectively have control already, and they might as well save themselves the trouble and just download Mary's server log file. It will be much more discreet, and less trouble. The other case is an MITM . Mallory is intercepting Mary's incoming connections somehow, and sending their own fake cert (MITM) with an AIA, that phones back home. However in that case, why bother even phoning back home ? Mallory is in the middle, and already knows that Alice is trying to connect to Mary. It's a little hard to see what Mallory is gaining from using an AIA that they can't already get by other means. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
