[cryptography] So, PKI lets know who we're doing business with?

Thor Lancelot Simon tls at panix.com
Tue Jan 8 17:14:08 EST 2013


On Tue, Jan 08, 2013 at 05:06:23PM -0500, Jeffrey Walton wrote:
> On Tue, Jan 8, 2013 at 3:59 PM, Thor Lancelot Simon <tls at panix.com> wrote:
> 
> > https://www203.americanexpress.com
>
> That's not too egregious (though its bad). What frustrates me is when
> they send you to a different domain for the authentication or a
> transaction.

Well, yes, that's bad, but of course what I was trying to point out as
bad in this particular case was that even in the face of an hour's worth
of effort by someone calling from the security department of another
institution, in this case, the purported holder of this certificate was
*unable to say* whether it was actually theirs or not.

Whoops.

Thor



More information about the cryptography mailing list