Bill Michaelson wrote:
>
> > After the Verisign acquisition of Thawte, there remain few signing =
> > authorities who will perform services for a reasonable fee.
> >
> > Maybe the OpenSSL group should launch a new not-for-profit application > >
>verification and certificate signing service?
>
> That's also my inital impulse, but it's such a tricky business.
> [..]
> This whole matter is filled with irony, not the least of which is that
> obtaining a certificate from Verisign, in my view, does very little to
> confirm the trustworthiness of the holder, but it makes such a world of
> difference to clients who see the little key in the corner of their
> browser window.
You're absolutely right.
AFAIK the german BSI (http://www.bsi.de/) certified the SSL-enabled
online-banking process under the assumption that the user deletes all CA
certs in his web browser and reinstalls the necessary certs from disk
checking the fingerprints...
In a german newsgroup a guy reported his experiences with his bank to
check the fingerprint of the certs involved. It took him several phone
calls to find a person who even knew what a fingerprint is. But no final
success with this procedure...
IMHO it makes more sense to help people understand the whole
certification process and to help organizations to run their own
organization-wide CA for issueing certs which are meaningful for their
application. IMHO we have to admit that there's no way for setting up a
global PKI which is trustworthy enough for all users and applications.
Anyway, there are other commercial CAs on the market...
Ciao, Michael.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
