Dan Langille wrote: > On 3 Jun 2005 at 9:27, Adrian Irving-Beer wrote: > > >>On Thu, Jun 02, 2005 at 03:30:19PM -0400, Bill Strosberg wrote: >> >> >>>CA-issued certs & automatic browser inclusion of root certs always >>>have been a thorn in my side. Why should anyone trust someone else >>>because they paid a third party to say they are who they are? (even >>>if they lied). >> >>The original (primary) idea was that the cert companies verify who you >>are, sort of like PGP. >> >>The (secondary) idea was to prevent man-in-the-middle attacks by >>ensuring that the 'in the middle' guy has to a) at least expend >>more effort trying to get a similar certificate, and b) hopefully not >>succeed. >> >>Obviously, I have no idea if either of these are still being practiced >>by the companies in question. > > > So... about CACert.... > > What do you think about them? Companies like this ask you to install a chain-of-authority cert along with the cert they issue you - this establishes their path back to a trusted root cert when someone queries the webserver for the cert info. If you properly install the chain cert, users that connect your your webserver can SSL/TLS without those annoying "Warning!" messages slowing their surfing. CACert is no better or worse than anyone else in the business. My position is that the whole on-line trust model is broken. Profit!-motivated organizations have no place in a trustworthy system. Principles are always soluable in cash. -- Bill