>> I don't want to discount the importance of cert discovery, but I do >> think it's a stretch to believe that you're going to be willing to >> trust all of the certs that you discover in a chain of significant >> length, for a significant set of purposes. > >We're already trusting chains of signficant length (i.e. DNS delegation) >with no decent verification at all. That's a good point. PKI on DNS might not be the most trustworthy system imaginable, but it would probably be an improvement over no PKI. Provided it doesn't break DNS... /========================================================\ |John Stracke |Principal Engineer | |jstracke@incentivesystems.com |Incentive Systems, Inc.| |http://www.incentivesystems.com |My opinions are my own.| |========================================================| |E pui muove! -- Galileo | \========================================================/