On Mon, Sep 12, 2011 at 4:39 AM, <valdis.kletni...@vt.edu> wrote: > On Sun, 11 Sep 2011 22:01:47 EDT, Christopher Morrow said: >> If I have a thawte cert for valdis.com on host A and one from comodo >> on host B... which is the right one? > > You wouldn't have 2 certs for that... I'd have *one* cert for that. And if > when > you got to the IP address you were trying to reach, the cert didn't validate > as > matching the hostname, you know something fishy is up. > > And if you *do* have two certs for it, I'd like to talk to the bozos at > Thawte and Comodo who obviously didn't check the paperwork. ;)
this has already happened with mozilla.com, google.com, microsoft.com .... my point was that as a user, and as a service operator, what in today's CA world helps me know that the service operator's certificate is what my user-client sees? some 'trust' in the fact that thawte/comodo/verisign/cnnic didn't issue a cert for the service-operator's service incorrectly? I think I need a method that the service operator can use to signal to my user-client outside the certificate itself that the certificate #1234 is the 'right' one.
