[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] Draft-sstc-sec-consider-03.doc
> The "client" is unfortunately a *human* that just gets a
> hint that something
> is not correct but he/she may click "Continue" to ignore.
> And maybe even select to
> trust the next time. This is the problem with ad-hoc PKI as
> Dug correctly points
> out. This is also probably the weakest spot in SAML,
> assuming that servers
> are not too easy to hack into.
This is nonsense. Users get very upset when they get a popup warning about a security error. We even found it impossible for them to accept a self-signed certificate from us by secure means. If it doesn't validate with one of the built-in roots, thay won't touch it. This has been discussed repeatedly in the PKIX list and in the opinion of some, e.g. Peter Gutmann, it is a major reason people buy server certificates from public CAs.
Powered by eList eXpress LLC