On 3 Jun 2005 at 10:20, Bill Strosberg wrote: > Dan Langille wrote: > > On 3 Jun 2005 at 9:27, Adrian Irving-Beer wrote: > > > > > >>On Thu, Jun 02, 2005 at 03:30:19PM -0400, Bill Strosberg wrote: > >> > >> > >>>CA-issued certs & automatic browser inclusion of root certs always > >>>have been a thorn in my side. Why should anyone trust someone else > >>>because they paid a third party to say they are who they are? (even > >>>if they lied). > >> > >>The original (primary) idea was that the cert companies verify who > >>you are, sort of like PGP. > >> > >>The (secondary) idea was to prevent man-in-the-middle attacks by > >>ensuring that the 'in the middle' guy has to a) at least expend more > >>effort trying to get a similar certificate, and b) hopefully not > >>succeed. > >> > >>Obviously, I have no idea if either of these are still being > >>practiced by the companies in question. > > > > > > So... about CACert.... > > > > What do you think about them? > > Companies like this ask you to install a chain-of-authority cert along > with the cert they issue you - this establishes their path back to a > trusted root cert when someone queries the webserver for the cert > info. > If you properly install the chain cert, users that connect your your > webserver can SSL/TLS without those annoying "Warning!" messages > slowing their surfing. > > CACert is no better or worse than anyone else in the business. My > position is that the whole on-line trust model is broken. > Profit!-motivated organizations have no place in a trustworthy system. > Principles are always soluable in cash. CACert is not a company. It's not involved in cash. There's no profit. I don't see how your comments relate to my question. -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/