S/MIME in Outlook -- fucked.
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Tue Sep 3 22:14:16 PDT 2002
"James A. Donald" <jamesd at echeque.com> writes:
>While the immediate bug is in Microsoft IE and Outlook, this exploit is also
>a reflection of the contorted mess that is the certificate structure and the
>public key infrastructure
One of the eternal problems of X.509 software:
Implementation Problem Redux
Certified for use with Windows
- Microsoft owns the trademark
- Submit software to Microsoft, who perform extensive testing
- Passing software can use the certification mark
- Reasonable (given the size of the deployed base) interoperability among
tested products
S/MIME
- RSADSI owns (owned) the trademark
- Simple interoperability test for signing and encryption
-- Anyone could participate, at no cost
- Passing software can use the certification mark
- Good interoperability among tested products
X.509
- No quality control
- You cannot build software so broken than it can't claim to be X.509v3
(Lifted from "Everything you never wanted to know about PKI but have been
forced to find out",
http://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf).
Peter.
More information about the cypherpunks-legacy
mailing list