Ian G wrote: >In sum, it's a structure that does not deliver because >it has an internal conflict in its goals and target user >base. It serves neither properly.
If VeriSign et al (the other guys are hardly visible) does their job reasonably well three problems remain: - If the CA is unknown the user can accept it anyway with a few clicks - Being certified does not mean that you are honest - Phishers do not use SSL! >So it does not grow. Practically all serious providers use SSL and brand-name CAs so I don't understand this statement. To thwart fishing you need new stuff in the browsers and in the hands of the end users. Such measures have been developed but due to the inability of browser vendors to cooperate (Mozilla included), nothing happens. That is, too many want to get rich on anti-phishing but the fact is that nobody is going to buy. Users' simply expect vendors to fix this. I think they are right.... Mutual authentication is not rocket science but in order to work you need OTPs or PKI. That is, it is time to let passwords RIP. Anders _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
