On Mon, 12 May 2003 10:09:32 EDT, "Richard M. Smith" <rms_at_computerbytesman.com> said:
> My question: Why can't an Authenticode certificate present the
> following information to a user:
>
> - Company name
> - Street address
> - Phone number
> - Web site URL
> - Contact Email address
> - Company logo
> - Link to a product description page
OK.. .So you get a cert - now other than "phone number", is there anything
there that *really* increases your confidence level (given that you have
2 http:// and a mailto: URL, and they could all point at a hijacked server)?
Remember that there has already been one well-publicized case of Verisign
issuing a bogus Microsoft cert - there's no proof they haven't made the
same social-engineering whoops on possibly *dozens* of lesser-known software
houses.
And after the dot-bombed era, there's probably a *lot* of places that had
certs and went belly up - and said certs went out the door when the servers
they were on got surplused. I'm sure snooping around the right hacker
IRC channels will find you a pointer to a black-market cert that you can have
a copy of....
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- application/pgp-signature attachment: stored
Received on May 12 2003
Intro
