Michael O'Keefe wrote: > [EMAIL PROTECTED] wrote: >> The fact is many people think self-signed certs that make browsers give a >> warning message about them are *bugs* in a web app. >> >> Does this mean *every* little web app company needs to pay the >> "Verisign tax" >> to get their server keys signed by them? That's kind of depressing >> and against >> the values of the web it seems to me. > > AFAIK, yes > All the apps have preloaded the root-certs of trusted signatories > If none of those root-certs are used to sign your sig, the warning is > popped up.
Self-signed root-certs works quite well in closed communities. In general, web-of-trust seems to me much better than chain-of-trust, but the gpg-style examples of this have not found the magic recipe for getting joe-blow on board. ==> There must be a social computing answer to this social problem. Regards, ..jim -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
