PGP, Inc.
Raph Levien
raph at cs.berkeley.edu
Sat May 11 01:09:44 PDT 1996
Tim Dierks wrote:
>
> The only effort they make is that when using the email-based CA, it mails
> the certificate to the address within, so it's not trivial to get a cert
> for an address that you don't have access to. (I'm not saying it's
> impossible, or even hard, just that it requires some skill and effort).
For example, see http://www.digicrime.com/id.html . I believe they got
these certificates using the Web, rather than e-mail.
I think with e-mail, you'd actually have to be running a packet sniffer
or doing an active attack such as DNS spoofing. However, the Web is
much, much more convenient.
In any case, the page I referenced above is worthwhile reading.
Raph
More information about the cypherpunks-legacy
mailing list