At 12:08 PM +0000 11/19/2000, Perry commented:
[I see you've never paid attention to how easy it is to get a certificate, Ben. I suspect I could get one in the name of any company with about 20 minutes of unskilled forgery. The level of checking done is trivial. This wouldn't be a problem except for the fact that all CAs disclaim any and all liability for practical purposes. --Perry]
Perry's last sentence gets to the heart of the matter. If CAs included a financial guarantee of whatever it is they are asserting when they issue a certificate, then all these problems would go away. The CAs would have a strong interest in clarifying the semantics of certificates and would choose technology and verification methods that optimized the risk vs cost (including difficulty of use) tradeoff. I believe the reason this has not happened yet is that various business interests perceive an opportunity to get the government to shift all risk to the consumer by snowing legislators with crypto mumbo-jumbo. That is an even cheaper solution from the business interests' perspective. Arnold Reinhold