On Thu, 2006-11-30 at 16:19 -0800, Stewart Stremler wrote: > begin quoting [EMAIL PROTECTED] as of Thu, Nov 30, 2006 at 03:57:28PM -0800: > > On Thu, Nov 30, 2006 at 02:09:27PM -0800, James G. Sack (jim) wrote: > > > Relying on any such "authority" as is provided built-into browsers, > > > seems shaky strategy (at best). Why should I trust the certs of the CAs > > > themselves -- the only argument is that the software vendors, and hence, > > > a lot of other people do. As you say, trusting the reliability of the > > > CA's certification process is a second weak link. > > > > How about if there was //one// CA you liked and you just trusted anything > > signed > > //only// by them? Then you would only have to import their cert into your > > browser > > to be golden!? > > Ah, but I don't trust them, I trust someone else. >
I don't trust any of them. When I get our new web server and web app up and running, I plan to use our own cert. with a very clear privacy policy from our legal department. Our privacy policy will basically be, your data is your data, and will not be shared with anyone (of course the usual government BS applies). In fact, I will have some of the data encrypted in the database so that no one can read it except the customer that put it there. What was it I read/heard years ago about a back door or something provided by the CAs so that government could access the data? I can't remember what it was, but I remember it turned me off the CAs and made me decide to not renew the one I had from Verisign and to never get another one. Maybe my brother remembers what it was? (he's the one that told me about it in the first place) PGA -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
