"James A. Donald" <jamesd@echeque.com> writes:

While the immediate bug is in Microsoft IE and Outlook, this exploit is also a reflection of the contorted mess that is the certificate structure and the public key infrastructure

One of the eternal problems of X.509 software: Implementation Problem Redux Certified for use with Windows - Microsoft owns the trademark - Submit software to Microsoft, who perform extensive testing - Passing software can use the certification mark - Reasonable (given the size of the deployed base) interoperability among tested products S/MIME - RSADSI owns (owned) the trademark - Simple interoperability test for signing and encryption -- Anyone could participate, at no cost - Passing software can use the certification mark - Good interoperability among tested products X.509 - No quality control - You cannot build software so broken than it can't claim to be X.509v3 (Lifted from "Everything you never wanted to know about PKI but have been forced to find out", http://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf). Peter.