> We can show this empirically. If you look on the stats > page for cert numbers, it is pretty clear that certs have > failed to enter into the mass market, there are a relatively > tiny 166k certs out there in web sites [1]. Even within > this small body for certs users, there is a fairly high > level of poor usage, by the standards of the cert suppliers, > something well in excess of 50%, see the last table.
Unfortunately mozilla, which it's shrinking user base, can make only a small dent in this problem. If 100% of the mozilla users get certs from the myriad of free certificate sites that will supposedly be produced, I doubt it could raise these numbers very much. > > So, yes, just on the basis of cost alone, any increase > in the raw number of certs out there will increase the > security. And one way to do it is to lower the standard > for getting certificates. I for one don't see that as a > bad thing - I prefer to use standards to help me and others, > not have standards use me for their own arcane purposes. This arguement doesn't hold up under scrutiny. We could increase the number of certs out there to 100 % by having every browser automatically generate their own self-signed certificates, and trusting any certificate which is self-signed. Now you have encryption without identity. You know your credit card transation was sent on a secure channel, you just don't know to whom it was sent! Suddenly you can proxy SSL sites without the user knowing. In order for PKI to work certs must have some value (or we may as well just exchange public keys -- and let the governments of the world read all our SSL traffic through their proxied firewalls). bob _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
