This is further evidence that we cannot rely on CAs to maintain
clear uniqueness of certificates,
Where did CAs ever claim that they were maintaining uniqueness of the O field?
Where does this paper say that non-unique certificates are being issued? They should all be different in the CN field - the one our UI (indirectly) displays.
and that we must enable users to establish trust relationships without having to depend on CAs.
The only mechanism I know of that enables this is the petname. See http://petname.mozdev.org/.
Without SSL and CAs, how does the user know that he's connecting to the right site the very first time he connects and marks it with a petname?
Without SSL and CAs, how does the browser know that when the DNS server tells it that it's connected back to that site (and so that the browser should display the petname), it's not trojaned or poisoned?
Gerv _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
