On 28/04/2014 23:00, James A. Donald wrote: > Cannot outsource trust Ann usually knows more about Bob than a > distant authority does. A certificate authority does not certify that > Bob is trustworthy, but that his name is Bob. In practice, they are certifying they sold a certificate to someone that had "Bob" on it. Even for EV certificates, that isn't hard to do, even if you are actually Kevin.
On 29/04/2014 02:25, Jason Iannone wrote: > If browsers are defeating the purpose of the chain of trust, by > forcing trust in this example, why design them to freak out when a > site self signs? Mostly the value of the delusion in getting people to do things they wouldn't do on an "insecure" site. Getting a CA cert is more about the feelgood factor of "they have a verified cert, so I can trust them" than anything they can really assert given the body of evidence pointing to the real case of "they have a verified cert, so clearly had a CC on hand with enough credit to buy a cert. This CC may even have been theirs" - however, provided the vast majority of people believe it to be true, it is nearly as good as *being* true for commercial entities (and of course for the CAs) Most users wouldn't know what to do to verify a thumbprint, even if it were printed on the back of their debit card, but would just click "OK" regardless. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography