Ian G:

If the user does not validate, then she has done a bad thing.  Yes,
KCM would be at its weakest at that point, but no software tool is
perfect;  at some stage we have to ask the user, and then by
definition the software is weak, dependent on the user.

Chiming in here....

PKI wasn't meant to facilitate certificates issued from "random". PKI is mean disallow anything it doesn't know and doesn't chain to the root. In the browser we have many roots, but it's the browser fault to allow the user to ignore and click all th way through to heaven...or hell. :-)

PKI is mean to be strict (avoiding the word perfect)! It's not meant to be "maybe" valid, "possibly" chained to a root and "likely" not an MITM. It's meant to provide a clear YES/NO answer. PKI provides what KCM can not accomplish.


Signer: Eddy Nigg, StartCom Ltd.
Blog:   https://blog.startcom.org
dev-tech-crypto mailing list

Reply via email to