> From: Scott Gifford [mailto:sgifford@xxxxxxxxxxxxxxxx] > Sent: Friday, 11 February, 2005 14:07 > > Isn't this the entire reason for browsers coming with a > small list of CAs which are deemed trustworthy? What "small list"? IE contains root certificates with server-authentication rights from some 37 organizations. That's not the number of roots - that's the number of organizations who have gotten Microsoft to include one or more roots. Do you deem all of them trustworthy? Do you even have any idea who they are? Do you suppose that the vast majority of users even know what a root cert or a CA is? They put their trust in "the system" - they've been told that it's safe to reveal sensitive information if they see a little padlock icon in their browser. Anything that makes it easier for an attacker to confuse that class of user - the dominant class - about what site they're actually using when that little padlock appears is *in practice* a serious security risk. It doesn't matter whether it's well-intentioned or technically elegant; it's a problem, and CAs are not going to save us from it. Unfortunately, while it might appear that Verisign has shot itself in the foot with IDNs, in practice they have monopolistic power and a market which doesn't understand the product they're selling, and consequently can't make rational decisions. (Not that consumers generally make rational decisions anyway.) Verisign can probably devalue its own product pretty much arbitrarily without significant bottom-line impact. -- Michael Wojcik Principal Software Systems Developer, Micro Focus
