On Tue, Jan 06, 2009 at 11:11:52AM -0900, Mel wrote:
> On Tuesday 06 January 2009 10:31:26 Chad Perrin wrote:
> >
> > Out-of-band corroboration of a certificate's authenticity is kind of
> > necessary to the security model of SSL/TLS.  A self-signed certificate,
> > in and of itself, is not really sufficient to ensure the absence of a man
> > in the middle attack or other compromise of the system.
> >
> > On the other hand, I don't trust Verisign, either.
> In the less virtual world, we only trust governments to provide identity 
> papers (manufactured by companies, but still the records are kept and 
> verified by a government entity).
> Instead of trying to regulate the internet and provide a penal system, 
> governments would do much better taking their responsibility on these issues. 
> It shouldn't be so hard to give every citizen the option to "get an online 
> certificate corresponding with their passport" and similarly for Chambers of 
> Commerce to provide certificates for businesses.

My distrust of of the certifying authority is not mitigated by replacing
Verisign with FedCorp.  Institutional incompetence is typically a result
of bureaucracy -- and even major corporations don't get as mired in
bureaucracy as government.

Chad Perrin [ content licensed OWL: http://owl.apotheon.org ]
Quoth Bill McKibben: "The laws of Congress and the laws of physics have
grown increasingly divergent, and the laws of physics are not likely to

Attachment: pgp20VPV43pmz.pgp
Description: PGP signature

Reply via email to