> Richard Lynch wrote: >> And in the real world, where browsers just blindly chase down CAs and >> the basic Security Model is "you pay us $200, and we make sure you >> are who you say you are, and then we trust you" what real difference >> does it make? > > Users can remove untrustworthy CA certs from their browsers. > >> There are certainly a zillion sites *I* do not trust that have >> high-priced CA-certified SSL certs... >> >> And Joe Sixpack and Betty Buick just look for the little lock symbol >> to be closed, and guage trustworthiness only on there being no popups >> warning them it's not secure, and that the site "looks" professional, >> and a "brand-name" on the logo/domain. > > That's why there are organizations like WebTrust - to perform audits as > to how personal data is used. > >> So, why exactly would I pay for a $200 background check on myself, >> when I already trust myself? Why not pay $70 for an SSL with no >> background check on myself, so long as it makes Joe Sixpack and Betty >> Buick happy, if it's got 99% ubiquity? > > As I said above, users may delete the CA cert from their browser. This > means that the CA you pay $70 to would not be trusted - period. One > day, many users will know the fact that the certificate should be > checked before sensitive information is sent through the SSL connection. > >> I'm often curious why exactly people think the SSL / CA system is so >> great, when it seems a whole lot like the Emporer's Clothes to me, or >> some kind of weird Ponzi scheme to line the pockets of a handful of >> companies, with very very very little added-value to the end user. > > It appears that you never applied for a certificate before, or applied > for certs from CAs that don't verify information. Identification is > extremerly important when it comes to knowing whether or not to trust > the given public key. I appears that you haven't been around here long. > I am not trying to humiliate you, but you may want to study about > cryptography and its use for the internet. I operate my own > web/e-mail server (and have been doing so for some time), and so, I know > how important it is to make sure a trustworthy CA signs a public key. Ohhhh, your own web and email server? Okay, show of hands; how many people on this list *do not* run their own servers? -- John C. Nichel IV Programmer/System Admin Dot Com Holdings of Buffalo 716.856.9675 jnichel@xxxxxxxxxxxxxxxxxxxxxxxxxxx -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php