>Now what you're suggesting could work if you did something like made >some directories that stored the key IDs and web sites they belonged to.
I'm having trouble understanding how this is usefully different than a CA. Current scenario: you do something to persuade a CA to sign your cert. Then browsers say you're OK, which is a problem if the CA is sloppy. New improved scenario: you do something to persuade a directory to list your key ID. Then some manual or automatic process makes your web site appear OK, which is a problem if the directory managers are sloppy. What am I missing here? This all boils down to the introduction problem, how do you persuade one party that a second party who they don't know yet is OK. It's always the weak link in any security model which has a perimiter with nice people inside and unknown or nasty people outside. R's, John _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
