I'm going to go out on a limb here and point everyone at Bruce Schneier's
paper:
http://www.counterpane.com/pki-risks.html
"Ten Risks of PKI: What You're Not Being Told About Public Key
Infrastructure", by C. Ellison and B. Schneier.
Essentially, it contends that there's no one 'guarding the henhouse', and
that commercial CAs are basically operating with no license to hand out
authoritative identifications -- but the Web is operating on trust of them
anyway.
On Thu, 9 Dec 1999, Tim (not representing his employer's opinions) wrote:
> However, the notion of a valid certificate, or public key, for
> authentication is central to the utility of strong (public-key)
> cryptographic solutions. If you don't know who you're talking to, who
> cares how strong the cipher is? Or vice versa, for your
> customers/clients.
---
Mat Butler, Winged Wolf <[EMAIL PROTECTED]>
SPASTIC Web Engineer SPASTIC Server Administrator
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
