OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] Draft-sstc-sec-consider-03.doc

Title: RE: [security-services] Draft-sstc-sec-consider-03.doc

> The "client" is unfortunately a *human*  that just gets a
> hint that something
> is not correct but he/she may click "Continue" to ignore. 
> And maybe even select to
> trust the next time.  This is the problem with ad-hoc PKI as
> Dug correctly points
> out.  This is also probably the weakest spot in SAML,
> assuming that servers
> are not too easy to hack into.

This is nonsense. Users get very upset when they get a popup warning about a security error. We even found it impossible for them to accept a self-signed certificate from us by secure means. If it doesn't validate with one of the built-in roots, thay won't touch it. This has been discussed repeatedly in the PKIX list and in the opinion of some, e.g. Peter Gutmann, it is a major reason people buy server certificates from public CAs.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC