On Mon, 12 Sep 2011 07:53:57 -0700 Michael Thomas <m...@mtcc.com> wrote:
> Randy Bush wrote: > >> But Gregory is right, you cannot really trust anybody completely. > >> Even the larger and more respectable commercial organisations will > >> be unable to resist <insert intel organisation here> when they ask > >> for dodgy certs so they can intercept something.. > >> > >> No, as soon as you have somebody who is not yourself in control > >> without any third party verifiably independent oversight then you > >> have to carefully define what you mean by trust. > > > > i am having trouble with all this. i am supposed to only trust > > myself to identify citibank's web site? and what to i smoke to get > > that knowledge? let's get real here. > > > > with dane, i trust whoever runs dns for citibank to identify the > > cert for citibank. this seems much more reasonable than other > > approaches, though i admit to not having dived deeply into them all. > > It seems to me that this depends a lot on how much you can tolerate > single points of failure. The current de-trusting is certainly going > to cause trouble for whoever used that CA, but the internet didn't > roll over and die either. If the root DNS keys were compromised in an > all DNS rooted world... unhappiness would ensue in great volume. > > Mike, poison and choices... > let me state clearly what am I writing about: ok, suppose, there is a site on the internet, that has a certificate issued by one of the major CAs. how could one know, that certificate wasn't issued to forged identity?
