On 2004-09-17T19:27:09-0700, Major Variola (ret) wrote:
At 06:20 AM 9/17/04 +0000, Justin wrote:
On 2004-09-16T20:11:56-0700, Major Variola (ret) wrote:
At 02:17 PM 9/16/04 -0700, Joe Touch wrote:
Except that certs need to be signed by authorities that are trusted.
Name one.
Oh, come on. Nothing can be absolutely trusted. How much security is enough?
Aren't the DOD CAs trusted enough for your tastes? Of course, 'tis problematic for civilians to get certs from there.
DoD certs are good enough for DoD slaves. Hospital certs are good enough for their employees. Joe's Bait Und Tackle certs are good enough
for Joe's employees. Do you think that Verislime is good enough for you?
No, verislime is not good enough for me, for ethical reasons, not security reasons. What's good enough for most businesses is anything that keeps customers from seeing self-signed cert warnings. Given the choice, I'd pick geotrust over no-thawte or verislime. The only reason they're in business is because of browser warnings. It has nothing to do with "physical security" offered by the CA, or threat models, or anything of that sort. For e-commerce, nobody needs high security. Anyone using a high-credit-limit account online without a liability limit in case of account theft is a moron. -- The old must give way to the new, falsehood must become exposed by truth, and truth, though fought, always in the end prevails. -- L. Ron Hubbard