> > I'd guess that the money Netscape collects for putting a root CA cert > into mozilla is used to attempt to ascertain that the CA is truely > legitimate, and not a rogue CA, and is still alive and well. > In some sense, the mere fact that the CA is willing to pay this money > is a measure of their legitimacy, I think. (Few rogue CAs are willing > to pay anything.) >
While this could be true don't you think having a rouge root CA could be worth more than $150,000. Given some of the corporate ethicacy out there the ability to raise $150K doesn't really impress me as a sound security policy. Wouldn't a better way to do this would be to have an International organization just provide root CA's that everyone could use. Why is it that we have all these fancy organizations for domain names and IP addresses and for something far more important (security). The installation is either a black art or based upon some very questionable assumptions of human nature. Btw how do we know that "Few rogue CAs are willing to pay anything." Was there a study or something? Matthew Jones [EMAIL PROTECTED]
