Or a chained wildcard certificate for US$298...
I'm not so sure self signed is the way to go as there is no checks done at all. However the marketing spiel on their website points out this is only good for low numbers of low transaction amounts, which we should all recognise as marketing fluff, the fact is it's just as secure as Verisign's 128bit certificates that are US$895 these days, and unless people buy into the marketing there is literally no benefit for most/all companies to spend extra as all it adds is informational fields in the certificate that a large majority wouldn't bother to read in any case...
With this in mind, for the most part CAcert does the same thing, my point isn't critical of their system or methods, merely pointing out that it's possibly to do minimal checks, at minimal cost, and still get certificates out to the masses, without completely resorting to self signed or paying extremely high amounts for basically nothing more then giving companies licenses to print money...
Setting the bar high in terms of money doesn't prevent phising scams, they just employ work arounds to play on human ignorance, I think Ian's whole point is simple, no security in general hasn't stopped anything people are still being scammed, are still loosing their personal details and for the most part databases being cracked are the main targets for scammers other then spam, in any case more PKI won't prevent the current trends, man in the middle attacks can be detected in most cases and so this shouldn't prove very tasty to anyone but a government/large telco trying to spy on people...
On the other hand you have countries where security has to be employed for life threatening situations, I doubt PKI is good enough for these cases at present in any case so CAs vetted or unvetted won't make a difference to a determined party, all they need to do is crack the persons PC (video cameras, trojans, key logger etc) or crack the server they connect to and watch packets after they've been decrypted...
In short I'd have to agree with Ian whole heartedly that PKI was based on a flawed threat assessment that was possibly a potential threat in the early days of the internet, but highly unlikely with how far things have spread and been distributed now, unless of course you force all traffic in a country through a single point...
-- Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
