[EMAIL PROTECTED] wrote:
In time, however, I fully expect all CAs to promote self-signed certs, as aggressively I do.
One day, Certificate Authorities ("CAs") will defend our right to use self-signed certs, and deny ever having said anything to the contrary. It will be the thought crime of the age to think in any other terms, a failure of your patriotic duty, the denial of purity and essence of our natural ... yadda yadda....
Just wondering, what role would the CAs play if everybody used self-signed There is no cert hierarchy, as every cert is self signed.
So allow me do doubt that CAs are going to advocate that, if for reasons of survival only.
Firstly, CAs would now be able to see who was using certs and thus who cared. I.e., what sites care enough to actually promote and use their easy crypto install, and what sites just let it lie fallow.
Great - so now self-signed certs are used as a spamming tool for CAs to market their certs . Not that it would be the first time that certs (which are public) were usd for that purpose, though.
NONE -> self -> auto -> minimal -> MAXIMAL
The step from one gradation to the next is much much smaller, and thus cheaper and easier on the thought process of our currently unshod masses. Five small steps replace one huge leap (and any number of additional steps could be added to smooth out the slope in future years).
There is no binary treatment of certs today - in fact, there are 3 cases for servers :
1) not using SSL
2) using SSL with a self-signed, untrusted cert, for free . This brings a browser warning .
3) using SSL with a generally trusted cert, at some cost . This eliminates the browser warning .
For your suggestion to work, there has to be an incentive to upgrade from the self-signed certificate to something better.
Automatically trusting all self-signed certs in Mozilla would reduce the 3 cases to 2, and have the result of eliminating any incentive for anyone to upgrade from self-signed certs.
Achieving your goals is already possible without any changes to Mozilla or any other browser . Nothing stops any server developer from adding a feature that automatically generates self-signed seerver certs and installs them readily .
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
