Tuesday, Tuesday, December 04, 2001, 6:58:38 PM, Eric Smith wrote: >> There should have been two separate mechanisms for encryption >> and identity verification in the first place; it's silly to lump the >> two together as one mechanism.
> Encryption is entirely useless if you can't confirm the identity of > the other party, because it is subject to man-in-the-middle attacks. There is no valid confirmation being done by the Existing CA's either. Further, that identity checking is useless, since they accept no responsibility for it, their CPS's specifically disclaim any responsibility or liability for identity of the cert holders. > However, contrary to what some have claimed here, all I expect out of > the certificate is proof that the server that handles IP traffic for > the domain name "www.ibm.com" is being operated by (or at least with > the authorization of) the party that is responsibile for the ibm.com > domain. That is what the Geotrust method does, using the whois data and admin contact for the domain to approve the certificate request. > SSL certificates to solve that problem. Therefore I find it perfectly > acceptable for the authentication requirements to obtain a certificate > to be no more strict than those to obtain or transfer a domain name. Great, I'm glad we agree :) -- Best regards, William X Walsh <[EMAIL PROTECTED]> -- Webcertificates.info SSL Certificates for resellers from $49ea
