On Jun 10, 2011, at 9:34 AM, Bill Ricker wrote: > > On Fri, Jun 10, 2011 at 8:12 AM, Edward Ned Harvey <b...@nedharvey.com> wrote: >> Go get a free > certificate from > > a signature with a free CA cert deserves no trust - it verifies the > email address was the email address on a certain date only.
Which for all useful purposes is useless. This is only one step removed from the bogus certificates for Google and Amazon that were cut a few months ago. These demonstrate the fundamental flaw in concept of certificate authorities, a flaw that we've known about for at least two decades. Specifically: there is no mechanism to verify the CAs themselves. There is no way to detect that a CA has been subverted or compromised. PGP was written not to use CAs specifically for this reason. This makes PGP a little more cumbersome to use, but makes it impervious to S/MIME's most egregious flaw. --Rich P. _______________________________________________ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
