From: Raph Levien <raph@cs.berkeley.edu>
To: Tim Dierks <timd@consensus.com>
Message Hash: 2dfab2879e5f82a8e662fd368c3348a48bc84f46215c2cebd2cc9ebec4b5d501
Message ID: <3193E226.575E651C@cs.berkeley.edu>
Reply To: <v02140b03adb92b2dbc65@[205.149.165.24]>
UTC Datetime: 1996-05-11 08:09:44 UTC
Raw Date: Sat, 11 May 1996 16:09:44 +0800
From: Raph Levien <raph@cs.berkeley.edu>
Date: Sat, 11 May 1996 16:09:44 +0800
To: Tim Dierks <timd@consensus.com>
Subject: Re: PGP, Inc.
In-Reply-To: <v02140b03adb92b2dbc65@[205.149.165.24]>
Message-ID: <3193E226.575E651C@cs.berkeley.edu>
MIME-Version: 1.0
Content-Type: text/plain
Tim Dierks wrote:
>
> The only effort they make is that when using the email-based CA, it mails
> the certificate to the address within, so it's not trivial to get a cert
> for an address that you don't have access to. (I'm not saying it's
> impossible, or even hard, just that it requires some skill and effort).
For example, see http://www.digicrime.com/id.html . I believe they got
these certificates using the Web, rather than e-mail.
I think with e-mail, you'd actually have to be running a packet sniffer
or doing an active attack such as DNS spoofing. However, the Web is
much, much more convenient.
In any case, the page I referenced above is worthwhile reading.
Raph
Return to May 1996
Return to “timd@consensus.com (Tim Dierks)”