On Tue, 4 Dec 2001 16:29:24 -0500, Darryl Green wrote: >For >these types the benefit right now is just avoiding the scary security >messages that come up if the certificate is not blessed by an authorized CA >and not in the underlying securities that certificates provide.
I think that's a big misconception, that having positive identification of the cert owner somehow adds some additional underlying security to the transaction. IMO, it doesn't. The entire value of the SSL cert is in the protection of the data communications and the prevention of the 'scary dialogs'. Many large-scale CC data thefts have occured from well-known sites that had "blessed" certificates - which were no help at all in preventing the crimes. The bottom line is that it's up to the consumer to decide who they will deal with and having a CA vouch that a particular vendor is who they say they are really adds very little of value to the process. Identity validation does nothing to ensure that the vendor is honest, reliable, or more importantly, that their stored data is secured and used appropriately. The current system only serves to keep the cert prices inappropriately high and much less convenient for server operators and domain owners to implement than they need to be. I find nothing at all wrong with a class of certs (QuickSSL) that allows web users to easily (ie: no scary dialogs) make use of SSL data encryption without server identity validation. It's still up to consumers to make smart decisions about who to do business with. ========================================================================= Jim Whitelaw tel: +1.780.975.1534 jim-at-pdsys-dot-com fax: +1.780.484.9239 Pathways Data Systems Inc. http://www.pdsys.com ========================================================================= "It is best to assume that the network is filled with malevolent entities that will send packets designed to have the worst possible effect." - F.Baker, RFC1812
