On Feb 16, 2014, at 8:45 AM, Jasper Kips <jasper@xxxxxxxxxxxxx> wrote: > Op 16 feb. 2014, om 05:26 heeft Tedd Sperling <tedd@xxxxxxxxxxxx> het volgende geschreven: > >> I claim that a SSL Certificate is nothing more than a software instrument used by Browsers to alert users that the site they are visiting is indeed the site being reported -- IOW, the identify of the site can be trusted. > Yes, you are wrong. A SSL Certificate is NOT (repeat not) an identification of a site. If anything, identificationwise, it is a signed statement by the provider of the certificate, that the provider feels the Certificate details are right, and therefore the site claim to be who the Certificate says it is, could be right. The trustworthiness of the claim that the certificate that it belongs to the site serving it, and thereby establish its identity, is dependent of the trustworthiness of all certificates in the chain of certificates, all the way up to the root certificate. Thus if any certificate in the chain is compromised, the end certificate is not to be trusted. And this happens, more often than we want. Certificate authorities get compromised, more that you think. Now I am really confused, because what I said is basically what you said, but yours was more verbose. Can you be more specific as to why a SSL Certificate is NOT (repeat not) an identification of a site? Cheers, tedd _______________ tedd sperling tedd@xxxxxxxxxxxx -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
