On 2011-09-22 2:30 AM, Arshad Noor wrote:
In the first place, as you know, browsers have a trust-store of unique
self-signed TTP CA certificates; not cross-certified certificates. All
SSL/TLS connections between browsers and a site with an SSL certificate
issued by one of those TTP CA's, involves a *direct* trust-chain. A
browser user (or manufacturer) always has the ability to delete any TTP
CA certificate from their trust-store and sever the trust-chain, at
will. Notwithstanding the fact that most users don't know anything
about trust-stores and TTP CA certificates, it does not change the fact
that these are direct and independent trust-chains that can be severed
at will.
Oh come on.
What you are saying is that in principle we could rework the pki system
so that it is something completely different to what it is.
But it is what it is.
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography