-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[John R Pierce]
> and all those 'trusted' roots prove is that someone payed
> them money. I don't
> trust them any more than I'd trust a unsigned PGP key someone
> offered me.
Well, of course the idea is that the "trusted root" thoroughly
verifies a person's identity by some other channel such as checking
passport and a secondary form of ID in person. That's why they're
"trusted" roots.
Despite the accidental MS certificate issuance a few years back,
which they quickly revoked, VeriSign and the other "tier 1 "
certificate providers have, in my experience, actually proven fairly
trustworthy when it comes to verifying information before issuing
certificates.
I had to jump through all sorts of paperwork hoops to get our first
Verisign cert. Also, someone from Verisign called our CEO and CFO,
asking questions about the company and *me* before issuing the
company SSL certificates to me.
Reputation is the only value Verisign and the other PKI roots really
add. So despite the fact that they're turning down a small amount
revenue, they do in fact have an very strong incentive to NOT issue
fraudulent certificates. The creputation loss and revocation costs
from a single fraudulent issue probably outweighs the revenue from
100 or 1000 individual certificate sales. So I trust that root
providers will act in their own financial interest by not issuing
fake certificates.
Yes, there are many smaller certificate issuers that claim to be
trusted in some way, but are not a trusted root for most major
browsers or operating system. These 3rd-tier providers typically
perform little or no checking before issuing a certificate (SSL or
email), they just take money from anybody and issue a certificate.
This is also why they're not trusted by OS or application vendors. If
MS decided to remove a root issuer from the trusted roots in Windows,
or even if a bunch of end-users decided to do it in a grass-roots
showing of mistrust, the financial consequences would be disastrous
for the issuer.
The trusted-root PKI model certainly isn't perfect, but it is the
only way someone two completely disconnected parties can find a way
to trust each other. They just can't do this with PGP, unless their
webs of trust connect, which is currently very rare for two
strangers. Although I love the open-source, standards-based nature of
OpenPGP, the web of trust model is the single biggest hinderance to
PGP adoption in my opinion. Average people just don't understand it,
nor do they want to attend keysigning parties.
But I'm now way the heck off topic, so I'll stop talking about PKI
here.
Regards,
Ryan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32) - WinPT 0.7.96rc1
iD8DBQFBeU6v9wZiZHyXot4RAjz1AKDEC/32SmrVSGF/VgG7wojXO/P+tQCfSIv2
pp0h2DJ7kySVbxJYeVMPhho=
=gnc+
-----END PGP SIGNATURE-----
_______________________________________________
Prime mailing list
[EMAIL PROTECTED]
http://hogranch.com/mailman/listinfo/prime
