Johannes Bauer <dfnsonfsdu...@gmx.de>: > I think the major flaw of the X.509 certificate PKI we have today is > that there's no namespacing whatsoever. This is a major problem, as > the Government of Untrustworthia may give out certifictes for > google.de if they wish to do so.
But you're fine with the Government of Germany, I take it? Or any accredited German CA? Even well-meaning CA's do a lousy job. I remember when I purchased a domain certificate from a reputable CA. How did they verify I was a rightful representative of the domain? They called the phone number I had filled in the application form -- since somebody (me) picked up the phone, they accepted my application as legitimate. When an HTTPS URL is displayed with the green lock icon, all it means is that someone has paid good money for the certificate. > Sounds like it's trivial to implement, I wonder why it's not in place. > It must have some huge drawback that I can't think of right now. How would your scheme address .com, .net, .org etc? Marko -- https://mail.python.org/mailman/listinfo/python-list