On Tue, Sep 10, 2013 at 05:47:55PM -0400, John R Levine wrote: > > I think we're entering the tinfoil zone here. Comodo is one of the > largest CAs around, with their entire income depending on people > paying them to sign web and code certs because they are seen as > trustworthy. You might want to watch first half of Moxie Marlinspike's presentation at Black Hat 2011, "SSL And The Future Of Authenticity". It's not entirely clear to me that his proposed solution is the correct one, but his problem statement of why CA's can't be trusted to do a good job can be found here: http://www.youtube.com/watch?v=Z7Wl2FW2TcA > How likely is it that they would risk their reputation and hence > their entire business by screwing around with free promo S/MIME > certs? Watch the video; note that removing Comodo from the list of acceptable CA's is really not practical, so there really is no incentive for them to do a good job. - Ted