Anthony J Moulen wrote:
> You are aware that most browsers do not actually authenticate a 
> certificate.  They only ensure that the certificate was signed by a 
> signer that it trusts.

...which is a form of authentication, no? You have verified that the 
certificate was confirmed valid by a (theoretically) trusted party.

> In a true security sense you should also be 
> querying the revocation list from the authority to ensure that the 
> certificate hasn't been compromised and reported.  

True. Being signed by a CA doesn't ensure security (perfect security is 
nearly impossible anyway; someone could be using a key logger), but it's 
still different from having no assurance at all where you are sending data.

> The other issue is that the browser doesn't ensure that what you 
> typed was correct.

Firefox does, on several levels, by tracking how many times you have 
visited a site, and if you have given a site special permissions. (And 
yes, I /do/ make use of these.) Good features to add to konqueror, if 
you ask me...

-- 
Matthew
Please do not quote my e-mail address unobfuscated in message bodies.
-- 
Never give up on learning

 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<