> ________________________________________
> From: James A. Donald [jam...@echeque.com]
> Sent: Sunday, August 09, 2009 1:21 AM
> To: Thomas Hardjono
> Cc: Ben Laurie; Cryptography
> Subject: Re: Client Certificate UI for Chrome?
> Thomas Hardjono wrote:
>  > In this UI discussion, I think its less relevant
>  > whether trust is hierarchical or flat/p2p.
> The hard part is always certificate management, which
> has to be launched off existing trust and connections.
> So the question is, do we have certificate management
> that assumes that everyone has boundless trust in
> Verisign, and no trust in existing connections and
> existing shared knowledge, or do we have certificate
> management designed make use of any existing
> connections, trust, and shared knowledge, wherever it is
> to be found?


Agree. Unfortunately (or fortunately) some browsers have
shipped with root CA certs for a number of years
 now, which does force the end-user to "trust" the CA.
This has been great for sales of SSL certs for VeriSign
and other CAs but there is still that fundamental problem
of educating the average user (Mom/Dad) about equating
"trust" with "certs" (or root CA certs).=20

I'm not sure if the Chrome folks would be prepared
to ship their browser without any CA certs loaded,
but that would be an interesting and perhaps even revolutionary idea.
Assuming the Chrome UI had a nice and easy way for users
to download and install certs (trust anchors), this
approach could level the playing field and allows
other modes of trust to be played-out.
Both LinkedIn and FaceBook could in fact be CAs
that issue certs based on the number of verified
connections that a person had.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to