Richard Lynch wrote:
And in the real world, where browsers just blindly chase down CAs and
the basic Security Model is "you pay us $200, and we make sure you
are who you say you are, and then we trust you" what real difference
does it make?
Users can remove untrustworthy CA certs from their browsers.
There are certainly a zillion sites *I* do not trust that have
high-priced CA-certified SSL certs...
And Joe Sixpack and Betty Buick just look for the little lock symbol
to be closed, and guage trustworthiness only on there being no popups
warning them it's not secure, and that the site "looks" professional,
and a "brand-name" on the logo/domain.
That's why there are organizations like WebTrust - to perform audits as
to how personal data is used.
So, why exactly would I pay for a $200 background check on myself,
when I already trust myself? Why not pay $70 for an SSL with no
background check on myself, so long as it makes Joe Sixpack and Betty
Buick happy, if it's got 99% ubiquity?
As I said above, users may delete the CA cert from their browser. This
means that the CA you pay $70 to would not be trusted - period. One
day, many users will know the fact that the certificate should be
checked before sensitive information is sent through the SSL connection.
I'm often curious why exactly people think the SSL / CA system is so
great, when it seems a whole lot like the Emporer's Clothes to me, or
some kind of weird Ponzi scheme to line the pockets of a handful of
companies, with very very very little added-value to the end user.
It appears that you never applied for a certificate before, or applied
for certs from CAs that don't verify information. Identification is
extremerly important when it comes to knowing whether or not to trust
the given public key.
I am not trying to humiliate you, but you may want to study about
cryptography and its use for the internet. I operate my own
web/e-mail server (and have been doing so for some time), and so, I know
how important it is to make sure a trustworthy CA signs a public key.
Cheers,
- KJM
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php