-- On 3 Sep 2002 at 11:16, Meyer Wolfsheim wrote:
I encourage everyone to send Bill Gates an email from himself. =)
============================================================= ========= ==== Vendor Notification Status
Microsoft knows about this, of course, but "isn't even sure whether to call this a 'vulnerability'." Right.
While the immediate bug is in Microsoft IE and Outlook, this exploit is also a reflection of the contorted mess that is the certificate structure and the public key infrastructure, and of the fact that Verisign is not doing its job. (This exploit only works if one starts with a legitimate verisign certificate for a web site, it does not work if one starts with a legitimate Thawte certificate.) Microsoft unambiguously screwed up, but the infrastructure made it easy to screw up, and difficult and expensive to get things right. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG 2S6sg825yJSZ69s23KyOvpaHYYQYbgoRuPl2j1JZ 24hZwF+YmQMFl2hK8LOkiesmNrg+xJ0ZdA1qPUzQU