So, when security really matters, you'd tell people to drop the time proven security methods, and fall back on ad-hoc methods that they probably don't understand fully. Do I have that right?
Almost, we already know the PKI model is flawed in that false certificates have been issued, also I personally don't have time to read each and every CPS of every CA (some of them a novels) stored in mozilla and/or other browsers, and even then I doubt I'd be able to trust each and every CA out there.
Basically the system might be secure and perfect, but the moment you include the human factor a lot of the security built into the system goes out the window...
With verifying a particular certificate, and removing all other certificates suddenly the system becomes secure again, I'm not saying don't use HTTPS, I'm saying I wouldn't trust many if any CAs in a life/death threatening situation... If you do you're a much braver person then I am, it's one thing to loose $50 on a credit card that was intercepted, another entirely to have my door kicked down and shot in some country that doesn't appreciate free speech so much...
-- Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
