On Sun, Sep 19, 2004 at 08:03:17PM +0100, Andrew Suffield wrote: > > certificate. A thrustworthy CA does all kind of background checks in order > ^^^^^^^^^^^^ > > to assure that he's giving a certificate to the correct person/company (not > > somebody trying to suplant them) and to check that the certificate is being > > handled correctly so that it is not that easy to be lost. > > So very appropriate. > > The extant CAs aren't appreciably trustworthy, nor are they > appreciably secure, and users can't tell the difference anyway. This I was not actually thinking in my previous answer about the common CAs (Verising, Thawte, ValiCert, Entrust...) bundled with most software [1]. I was thinking on internal-use CAs, for example, a company's CA, which can serve quite well in closed environments (a single organisation) through a PKI environment. > doesn't matter because nobody attacks anything worthwhile by capturing > traffic. SSL is basically irrelevant on the modern internet [see > crypto-gram, earlier this year]. Well, interception and sniffing attacks (i.e. dsniff) cannot be made in a large scale, so that's why trojan horses, phishing attacks and direct database theft are much more common. Not that SSL would prevent interception attacks, since most people will blindly say yes to the "Accept this certificate" prompt they are show when shown a certificate that is different from their bank. However, I do believe PKI has a place in controlled environments, where users can at least be educated and their systems can be preconfigured to avoid presenting those "Do you agree?" prompts. Regards Javier [1] The ones that show up when you do in Mozilla Preferences -> Privacy & Security -> Certificates -> Manage Certificates -> Authorities
Attachment:
signature.asc
Description: Digital signature