At 12/4/01 3:41 PM, Jim Whitelaw wrote: >I think that's a big misconception, that having positive >identification of the cert owner somehow adds some additional >underlying security to the transaction. IMO, it doesn't. The >entire value of the SSL cert is in the protection of the data >communications and the prevention of the 'scary dialogs'.
I agree. There should have been two separate mechanisms for encryption and identity verification in the first place; it's silly to lump the two together as one mechanism. I don't think consumers even know that identity verification is (supposedly) taking place. Those who do know that probably also know (or should) that the identity verification performed by Verisign, Thawte, etc. is forgeable and therefore useless anyway. I'm all in favor of certificates that provide encryption only. Unfortunately, I'm unlikely to ever be able to use them, because I need 99.9% or better compatibility (one of my businesses sells screen savers to average people using things like AOL or WebTV to order, who bail out at the first scary dialog). That level of compatibility ain't going to happen without the Justice Department ordering Verisign to countersign other company's certificates. Sigh... -- Robert L Mathews, Tiger Technologies
