[Richard, thanks for the message of support, I am still blushing ... John.
;)]

==============================================
From: Richard Forno [mailto:[log in to unmask]]
Sent: Wednesday, March 28, 2001 1:19 PM
To: john.armitage
Subject: Great list, john!


John -

This list is a neat little source of interesting and informative nuggets of
wisdom! My kudos to you folks for running it!

I thought you'd be interested in our latest missive on the inherent security
problems with PKI in light of the VeriSign-Microsoft fiasco last week. If
you think it's relevant to the list members, I'd respectfully ask your
approval to post the announcement and URL.

Again, I am greatly enjoying your list's traffic and resources!

Cheers,

Rick Forno
Washington, DC

----------

From: Richard Forno, INFOWARRIOR.ORG

"PKI - A Matter of Trusting Trust" discusses some of the inherent
vulnerabilities with Public Key Infrastructures and Digital Signatures as
currently implemented by the PKI industry. This is in response to the
vulnerabilities exposed last week when it was learned that VeriSign (the
"Internet Trust Company" and leading issuer of digital certificates) issued
two legitimate certificates to imposters claiming to represent Microsoft.

The article does not have much technical jargon, and is very "readable" for
all levels of computer expertise.

The jist of the piece is that digital certificates, as currently implemented
by the PKI industry, are NOT trustworthy, contrary to the PKI industry's
claims, and posits that customers aren't getting the security or "trust"
they think they're receiving. The article then provides analysis backing up
this premise.

Questions and issued raised include pointing out vulnerabilities with how
PKI vendors (Certificate Authorities) conduct the vetting process to verify
the authenticity of a certificate applicant, and how certificates are
implemented on an "issue and forget' mentality that has no recurring
verification loop, such as how credit cards are verified at retail counters.
The article also provides some easy-to-implement concepts that would
significantly-improve the amount of trust provided by using digital
certificates.

The article is in Adobe Acrobat and located at
www.infowarrior.org/articles/2001-01.pdf

Although the document is copyrighted, permission is granted to redistribute
all or portions of this essay provided the copyright notice and contact
information is kept intact....our goal is and continues to be user awareness
and education of critical security issues associated with today's Wired
Society.

Enjoy!

Best wishes from Washington, DC....

Richard Forno
Co-Author, The Art of Information Warfare
www.infowarrior.org / [log in to unmask]

************************************************************************************
Distributed through Cyber-Society-Live [CSL]: CSL is a moderated discussion
list made up of people who are interested in the interdisciplinary academic
study of Cyber Society in all its manifestations.To join the list please visit:
http://www.jiscmail.ac.uk/lists/cyber-society-live.html
*************************************************************************************