It gets critical when you *change* the cert towards one party. E.g. you wrote an email to me yesterday with the AOL cert, but today using the Thawte cert. I *should* get a bold warning from Mozilla about that, just like SSH does. I'd have to re-validate you, which is hard and people wouldn't do in practice, unless there's an automatic way to do it, e.g. by you sending the new cert to all your contacts, that mail signed with the old cert, and the client automatically detects that and chains the 2 certificates (in that direction only).
Actually there is a few major assumptions in your thinking here...
1) You assume the CA to always be valid, and always under the same root certificate, this isn't the case, CAs have already onsold root certificates or just gone out of the business.
2) It's still anti-competitive to stick people to one CA, they sign up first year for say $5, then every other year the CA slugs them $500 cause they can't go anywhere else...
3) Certificates expire and are stolen, sure they can be revoked, but said CA has a revoke fee of $500...
-- Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
