begin quoting [EMAIL PROTECTED] as of Thu, Nov 30, 2006 at 04:00:42PM -0800: > On Thu, Nov 30, 2006 at 01:44:53PM -0800, Stewart Stremler wrote: > > And there's no good way for the average user to make an informed decsion > > as to whether or not they should trust these authorities. The list is > > long and information about most of 'em is scarce. > > If you can just find ONE CA you trust, > base all your security on > *their* cert perhaps
And force your customers to use that CA as well? Not so good for the customer. You need to find a CA that you trust and that your customer trusts; this can largely be done by the CAs cross-certifying each other. The key constraint is that some basic level of checking must be done during the certification process. Cross-certifying merely to facilitate "business arrangements" invalidates the whole infrastructure. Which is where the web-of-trust seems to do better (except that there's no inverse-trust relationship; if I think X is a sneaky bastard, and Y trusts X, I don't have a simple way to downgrade my level of trust in Y.), as you perform a level of checking to your satisfaction. The problem is that most people don't check very thoroughly, or don't know how to, or allow a smooth talker to convince them that they don't need to... I'm really suprised the credit-card companies haven't gotten involved. They have the insfrastructure for managing large numbers of transactions; they have the trust of the customers and the vendors; they have ready-made tokens on hand; and if I'm using my American Express to authenticate with an online vendor, chances are that as long as I have that card out, I'll use it to make the purchase as well. -- _ |\_ \| -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
