[cap-talk] On the importance of being "untrusted" - let's be clear
Jed at Webstart
donnelley1 at webstart.com
Thu Mar 3 14:06:15 EST 2005
At 10:44 AM 3/3/2005, Karp, Alan H wrote:
>Dean Tribble wrote:
>
> > Though better than "untrusted", giving instructions to the user seems
> > inappropriate. If I get mail from my brother, it seems
> > presumptious to
> > tell me to treat him as a stranger just because your software doesn't
> > recognize him.
> >
>If you get mail supposedly from your brother, but the certificate
>doesn't correspond to the one you used to establish a petname for him,
>you'd better treat him as the stranger who might be spoofing you.
Of course I'm not sure exactly what Dean was referring to with his example, but
I can easily imagine a situation where I'm looking at "received" email through
a Web interface to a site that I haven't named but where the mail itself
can be positively identified by me (e.g. with a PGP/GPG signature).
The Web site itself is simply "unnamed." Trying to anticipate all situations
seems to me rather futile. As I noted previously it might be that the web site
itself is referenced in a link from a named and trusted site. It might well
be trusted though unnamed.
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list