>> I don't want to discount the importance of cert discovery, but I do
>> think it's a stretch to believe that you're going to be willing to
>> trust all of the certs that you discover in a chain of significant
>> length, for a significant set of purposes.
>
>We're already trusting chains of signficant length (i.e. DNS delegation)
>with no decent verification at all.

That's a good point.  PKI on DNS might not be the most trustworthy system 
imaginable, but it would probably be an improvement over no PKI.  Provided 
it doesn't break DNS...

/========================================================\
|John Stracke                    |Principal Engineer     |
|[EMAIL PROTECTED]   |Incentive Systems, Inc.|
|http://www.incentivesystems.com |My opinions are my own.|
|========================================================|
|E pui muove! -- Galileo                                 |
\========================================================/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to