> After a certain point, the trust factor loses its validity and the main > point behind SSL becomes the encryption.
I'll reiterate my point one last time, then let it drop. Encryption without even a *tiny* amount of authentication is worthless, or even counterproductive. Having an encrypted session with some random entity that may or may not be who you think they are does not give any security, because there are too many ways for that communication to be compromised. It's counterproductive because it makes people think they have some security when in actuality they have none. Note that I'm not talking about needing some 100% guaranteed iron-clad authentication. Even just requiring a CA-signed cert with minimal checking will provide some protection against MITM and other attacks, which is NOT present when using encryption alone. Anyhow, I've beaten this to death and I guess we'll just have to agree to disagree.
