On Thu, Jun 02, 2005 at 03:30:19PM -0400, Bill Strosberg wrote: > CA-issued certs & automatic browser inclusion of root certs always > have been a thorn in my side. Why should anyone trust someone else > because they paid a third party to say they are who they are? (even > if they lied). The original (primary) idea was that the cert companies verify who you are, sort of like PGP. The (secondary) idea was to prevent man-in-the-middle attacks by ensuring that the 'in the middle' guy has to a) at least expend more effort trying to get a similar certificate, and b) hopefully not succeed. Obviously, I have no idea if either of these are still being practiced by the companies in question.
Attachment:
signature.asc
Description: Digital signature