Lynn.Wheeler@firstdata.com wrote:

the current SSL domain name infrastructure supposedly exists because of issues with trusting the domain name infrastructure ... except the SSL domain name certificate issuer has to trust the same (untrusted) domain name

infrastructure

when issuing a certificate (i.e. the SSL domain name certificate is no better than the authentication authority that the certificate authority has to rely on as the final arbitrator of domain name ownership).

one of the integrity issues with the domain name infrastructure ... is that domain names have been hijacked ... once hijacked ... you can go to certificate authority and get a certificate with that domain name (and the certificate authority will check with the domain name system and confirm that the requester owns the domain name).

The difference is that a CA _also_ binds the certificate to a legal entity. When the fraud is discovered, the identity of the fraudster is, too. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff