Author: Timo Hanke 2013-04-25 11:55:59
Published on: 2013-04-25T11:55:59+00:00
In an email exchange between Mike Hearn and Timo Hanke, the issue of SSL key compromise is brought up in relation to a payment specification. While the OP suggests differentiating between "most trusted" and "less trusted" keys, Hearn argues that the SSL PKI cannot handle compromised web servers and therefore cannot be relied upon to solve the problem. He notes that if a web server's SSL key is compromised, it is possible to simply issue oneself a new SSL cert with whatever data one wants and pose as the merchant. Hanke agrees, stating that they had already discussed this issue in the past.
Updated on: 2023-06-06T15:32:57.591382+00:00