On Tue, Jan 06, 2009 at 11:11:52AM -0900, Mel wrote: > On Tuesday 06 January 2009 10:31:26 Chad Perrin wrote: > > > > Out-of-band corroboration of a certificate's authenticity is kind of > > necessary to the security model of SSL/TLS. A self-signed certificate, > > in and of itself, is not really sufficient to ensure the absence of a man > > in the middle attack or other compromise of the system. > > > > On the other hand, I don't trust Verisign, either. > > In the less virtual world, we only trust governments to provide identity > papers (manufactured by companies, but still the records are kept and > verified by a government entity). > Instead of trying to regulate the internet and provide a penal system, > governments would do much better taking their responsibility on these issues. > It shouldn't be so hard to give every citizen the option to "get an online > certificate corresponding with their passport" and similarly for Chambers of > Commerce to provide certificates for businesses.
My distrust of of the certifying authority is not mitigated by replacing Verisign with FedCorp. Institutional incompetence is typically a result of bureaucracy -- and even major corporations don't get as mired in bureaucracy as government. -- Chad Perrin [ content licensed OWL: http://owl.apotheon.org ] Quoth Bill McKibben: "The laws of Congress and the laws of physics have grown increasingly divergent, and the laws of physics are not likely to yield."
Description: PGP signature