On 3 Jun 2005 at 9:27, Adrian Irving-Beer wrote: > On Thu, Jun 02, 2005 at 03:30:19PM -0400, Bill Strosberg wrote: > > > CA-issued certs & automatic browser inclusion of root certs always > > have been a thorn in my side. Why should anyone trust someone else > > because they paid a third party to say they are who they are? (even > > if they lied). > > The original (primary) idea was that the cert companies verify who you > are, sort of like PGP. > > The (secondary) idea was to prevent man-in-the-middle attacks by > ensuring that the 'in the middle' guy has to a) at least expend > more effort trying to get a similar certificate, and b) hopefully not > succeed. > > Obviously, I have no idea if either of these are still being practiced > by the companies in question. So... about CACert.... What do you think about them? -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/