On Mon, 8 Jul 2002, Alberto Serra wrote: > Chris Shiflett wrote: >> Of course, as users of Web browsers such as Netscape and Internet >> Explorer, we have to trust AOL/Time Warner and Microsoft, respectively, >> (yeah, scary thought) to only trust CAs that have high integrity, >> security, etc. An extensive C&A (Certification and Accredidation) >> process is used to make this guarantee. > > Yes, but this is the part I doubt. When I buy a certificate from Kiev, > how on earth those guys sitting in Washington are to know who I am and > what I do for a living? They will have to handle the job to someone > else. This layering of delegations will include banks and governmental > stuff, and there is no such thing as a government that will not accept > bribery.
We (in the USA) bought our corporate certificate from Thawte, a company in South Africa. You wouldn't believe the amount of stuff they had me dredge up; it was like a scavenger hunt. I had to get the lawyers to dig out the official incorporation documents; I had to get accounting to dig out all sorts of tax bills; I had to get phone bills and executive signatures and who knows what else. When I sent them some Delaware incorporation document, they were familiar enough with the format to know that an (unnumbered) page was missing, and to ask me to find it and fax it to them. > What we *do not* believe (correct me Richard if I misunderstood you) is > that Verisign (or whoever in their place) will actually do more than > verifying that www.goodguys.org is really existing and it's there. And > this is just a protection against hackers but has nothing to with > consumer's privacy or security. People at goodguys.org will not be > checked anyway as far as they behaviour as a company is concerbed (that > would cost *much* more than $200 and it would be way to easy for the > crooks to buy themselves a virginity by doubling the money). Nobody thinks they're checking whether or not goodguys.com are good guys. It is your job as a consumer to research them. Once you have researched them and decided to do business with them, the certificate authority gives you a pretty solid basis for believing that you actually are dealing with the people you were prepared to trust. That's the point. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
