On Tue, 2008-09-02 at 23:06 +0930, Tim wrote: > The average HTTPS website that "just works" for you has paid a lot of > money to someone like Verisign to assert that they're who they claim > to be The irony is that if you read Versign's documentation, they don't actually claim to guarantee this. They just go through some standardized checking process involving external authorities such as notaries or business registries. A sufficiently interested adversary can quite easily register a company and get a certificate. If you don't recognize the company using external information (e.g. it's called IBM or The New York Times) you have no objective reason to trust it. poc -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
