>> In theory you don't need to encrypt the CA certificate, but you should >> verify it's integrity somehow. This is one of the places where PKI >> tends to cheat; it works great in the usual case where web browsers have >> a standard list of CAs that they accept. > >For values of great equal to "trusting a bunch of commercial CAs proven to >be willing to hand out signed certificates to random people with only a >minimum of identification." I definitely would not trust, say, Verisign >to do identity management properly. They're more interested in making >money.
I was trying to be nice ... but yes, I agree with you. Perhaps "great" is too strong. So far, it seems that there haven't been too many problems in the common "I'm want to be sure I'm actually visiting https://www.paypal.com and not someone else" case ... if there was someone who was handing out paypal/amazon/ebay certificates and they were listed as a trusted CA in web browsers, people would be all over them. That one time Verisign gave out a Microsoft code-signing certificate to some unknown person (I thought it was Verisign, but maybe it wasn't ... it was one of the big names though), it was a huge deal. But before I trusted a Verisign-signed certificate, I'd want to do some out-of-band verification that it belonged to who they said it did ... and in that case, the person should just save their money and give me their certificate directly to sign. If there was a PKI I felt I could trust, I'd feel differently. --Ken _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
