What are the alternatives to the architecture you described as being a problem? How would you do it?
At 01:08 AM 9/29/2002 -0500, you wrote: >That is something that always bothered me about the current PKI that we >use for ecommerce and SSL. I, for one, never agreed to trust Verisign, >Thawte, or any of the dozens of other CA's in my browser that i've never >heard of. Yet the absolute number 1 rule in PKI, is you HAVE to TRUST the >CA. If you don't trust the CA, then everything else goes out the window. >Who decides the "trusted" CA's that get distributed with IE, Netscape, >Mozilla, etc... perhaps this is documented in the SSL specs somewhere? >I assumed the app vendor makes the choice... and i'm not too keen on >letting Microsoft decide who we can/can't trust, especially when it >involves money. > >An open source/public CA sounds like a good idea, but it does take a lot >of time and money to verify who people say they are. You can't just go >around signing certificates for every tom, dick, and harry, when come to >find out, their names are really moe, larry, and curly. I think the CA >needs to be backed by the government. By the NSF, or maybe even the SEC >if it concerns ecommerce. > >The other thing that pisses me off is Verisign makes billions and billions >of dollars by just sending you a little text file. That'll be $250/year, >per server. I wish i would have had that idea, haha.... > >ray >-- >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >Ray DeJean http://www.r-a-y.org >Systems Engineer Southeastern Louisiana University >IBM Certified Specialist AIX Administration, AIX Support >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > > >On Sun, 29 Sep 2002, Tim Fournet wrote: > > > My guess is there is some process involved in getting added to the list > > of "well-known" CAs that applications such as mail user agents and web > > browsers know to look up against. That being done, it would require a > > grass-roots type of web of trust to validate public keys, such as what > > Thawte's personal key program does/did (only truly free). This is > > certainly something that's possible within the Open Source community. I > > wonder if there is anyone else about, especially in the Liberty Project, > > who's thinking of doing this. > > > > -Tim > > >_______________________________________________ >General mailing list >[email protected] >http://host19.nocdirect.com/mailman/listinfo/general_brlug.net --- Dustin Puryear <[EMAIL PROTECTED]> Puryear Information Technology Windows, UNIX, and IT Consulting http://www.puryear-it.com
