I never suggested there was no incentive in better security. Treating unauthenticated encryption (which you call security), in the same manner as SSL with CA authentication, then all we have done is reduce the default overall level of security, from very high to nil IMO (or "self" as you call it).
There is a basic assumption here I think could bite everyone in the ass if it was taken advantage of, and that is:
Does every CA do their job perfect 100% of the time? Only takes 1 weak link and the whole system is useless...
These checks aren't perfect, and I doubt they ever could ever be. The fact that MITM attacks are near impossible for most people to do, just prevents CAs from having egg on their face...
In all the "checks" occurring they mostly require fax back documentation on business records and check white pages/dns whois records, but realistically how hard would they be to fake? my guess is not very...
So while MITM attacks via ssl scams aren't happening I'm pretty sure it has nothing to do with any verification checks implemented by CAs...
-- Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
