• To: John Cowan <cowan@m...>
• Subject: Re: Re: Cookies at XML Europe 2004 -- Call for Participation
• From: Rich Salz <rsalz@d...>
• Date: Wed, 7 Jan 2004 21:08:32 -0500 (EST)
• Cc: "xml-dev@l..." <xml-dev@l...>
• In-reply-to: <20040108000125.GI31886@m...>

> Indeed, if I get to filter *all* your accesses to the net, I can make
> you believe anything I want, by masquerading as all possible trusted
> third parties.  There's nothing to be done about this.

Well, kinda, but not really.  If I have a certificate from, say,
the real CA (i.e., Verisign), then you can't spoof me, you can only
deny me access.  That's why PKI (public key infrastructure) talks
about "out of band" configuration or validation of the root key.

In the Web world, all SSL-speaking browsers come with a list of root
certificates for CA's that issue SSL-certs.  As long as you trust
the certs that came with your browser, then even if I am sitting
as a lonely island completely with everyone one of my IP packets
under your control, you can't fool me.
        /r$
--
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
XML Security Overview      http://www.datapower.com/xmldev/xmlsecurity.html

• Follow-Ups:
  • Re: Re: Cookies at XML Europe 2004 -- Call for Participation
    • From: John Cowan <cowan@m...>

• References:
  • Re: Re: Cookies at XML Europe 2004 -- Call for Participation
    • From: John Cowan <cowan@m...>

• Prev by Date: Re: Re: Cookies at XML Europe 2004 -- Call for Participation
• Next by Date: Re: Why is xml:base a URI *reference*?
• Previous by thread: Re: Re: Cookies at XML Europe 2004 -- Call for Participation
• Next by thread: Re: Re: Cookies at XML Europe 2004 -- Call for Participation
• Index(es):
  • Date
  • Thread