On Fri, Jun 03, 2005 at 11:08:47AM -0400, Bill Strosberg wrote: > My position is that the on-line client-server trust model is > broken - and anyone participating (CACert included) is part of a > broken system. [...] > CACert's verification process is probably worse than the commercial > efforts of Entrust et al - they apply to people only, and corporate > bodies are not verifiable. Well, with any luck, if enough people give out certs with minimal verification and at a very low price, the market will become worthless and customers will find something else instead. Perhaps another set of root certs with more going for them. Perhaps small community-run CAs. Perhaps asking their banks (in person) for X.509 checksum fingerprints and adding their keys to a personal keyring, PGP style. The nice thing about SSL as a technology is, like DNS, there's the established roots, and then there's the ability to make your own. Personally, I run my own CA for various purposes, including VPN node interverification.
Attachment:
signature.asc
Description: Digital signature