That is something that always bothered me about the current PKI that we use for ecommerce and SSL. I, for one, never agreed to trust Verisign, Thawte, or any of the dozens of other CA's in my browser that i've never heard of. Yet the absolute number 1 rule in PKI, is you HAVE to TRUST the CA. If you don't trust the CA, then everything else goes out the window. Who decides the "trusted" CA's that get distributed with IE, Netscape, Mozilla, etc... perhaps this is documented in the SSL specs somewhere? I assumed the app vendor makes the choice... and i'm not too keen on letting Microsoft decide who we can/can't trust, especially when it involves money.
An open source/public CA sounds like a good idea, but it does take a lot of time and money to verify who people say they are. You can't just go around signing certificates for every tom, dick, and harry, when come to find out, their names are really moe, larry, and curly. I think the CA needs to be backed by the government. By the NSF, or maybe even the SEC if it concerns ecommerce. The other thing that pisses me off is Verisign makes billions and billions of dollars by just sending you a little text file. That'll be $250/year, per server. I wish i would have had that idea, haha.... ray -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Ray DeJean http://www.r-a-y.org Systems Engineer Southeastern Louisiana University IBM Certified Specialist AIX Administration, AIX Support =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= On Sun, 29 Sep 2002, Tim Fournet wrote: > My guess is there is some process involved in getting added to the list > of "well-known" CAs that applications such as mail user agents and web > browsers know to look up against. That being done, it would require a > grass-roots type of web of trust to validate public keys, such as what > Thawte's personal key program does/did (only truly free). This is > certainly something that's possible within the Open Source community. I > wonder if there is anyone else about, especially in the Liberty Project, > who's thinking of doing this. > > -Tim
