Rayservers wrote:
I have proposed that we strip out ALL outside certificate authorities from an open source browser, and distribute such... and to practice what I preach, I just went into FF and nuked the bunch - and whee, I can connect, verify the cert and login :). The USER - a la monkey sphere - has to decide if she trusts the Certificate Authority - who the hell are they anyway? And to answer my own rhetorical question - those that issue the highest TRUST certificates to licensed scammers a.k.a. the banks. I do not trust a single one of the recommendations of official CAs. If I am forced, like one has to in this world - to visit a bank website, I can figure out how much I distrust them all by myself. All I want to know is "am I visiting the same site again"... and a "self signed" cert is all I need, "ssh style". And yes, I love the monkeysphere approach which would add meaningful levels of trust to that choice. And no - there is no difference in my trust level if the cert says "self signed" or "fairysign super duper" perhaps the former is better! - at least fairysign cannot go off and bless the MITM - especially of any sites I run!
Its a nice theory, but doesn't cover first-visit scenarios, nor the yearly rekey grind of giving CAs (large amounts of) money for the results of a fairly easy math problem. What I would prefer is some parallel system where person 'x', who I trust, may or may not have visited site 'y', and may or may not have signed the then certificate, the signature for which (with its date of providence) is then stored *on the site* for me to access though a well-known url. That way, I can look with suspicion at sites which do not have such a certificate, investigate myself if they are serving the certificate I am expecting to see (and how do I do that? I have tried in the past phoning companies to obtain their website public key for independent verification; most don't know what one is, a few have even said they can't disclose that as it is *priviledged information*....) But, who do I trust for that, who do *you* trust for that, and will those people be wiling to give up a significant slice of time every year revisiting websites after their certificates are renewed, and facing the same hurdles I did (the complete ignorance of most companies as to how their websites' certificate works and unwillingness to supply an accurate fingerprint over the phone).