nanog mailing list archives
Re: Does your Certifying Authority have a clue who you are? Do they care?
From: Joe Abley <jabley () isc org>
Date: Fri, 5 Dec 2003 11:26:22 -0500
On 5 Dec 2003, at 11:01, Valdis.Kletnieks () vt edu wrote:
On Fri, 05 Dec 2003 09:28:05 CST, Adi Linden said:While the ssl certificate is meant to verify the owners identity, as aconsumer I would never trust a ssl certificate for that purpose. It does provide a reasonable effort to keep information between me and the serverconfidential. That's worth something, I guess.So what does the PKI actually buy you that using a throwaway self-signed certdoesn't provide?
There is an expectation that URLs which do not produce "this certificate is not trusted" messages are safe for people to use to disclose sensitive information like credit card numbers. The average consumer has been educated to this effect at great length by commerce-oriented websites and browser vendors.
It doesn't matter whether the expectation is reasonable; what matters is that the expectation exists.
If there's a risk that people will be afraid to type credit card details into a merchant's web page, and that risk can be reduced by spending some relatively small number of dollars with a CA, then merchants will spend the dollars, and the myth is perpetuated.
You could try and re-educate the market, but since there's no money in teaching people not to trust CAs, it's difficult to see who would do the re-education.
Joe
Current thread:
- Re: Does your Certifying Authority have a clue who you are? Do they care?, (continued)
- Re: Does your Certifying Authority have a clue who you are? Do they care? Adi Linden (Dec 05)
- Re: Does your Certifying Authority have a clue who you are? Do they care? Valdis . Kletnieks (Dec 05)
- Re: Does your Certifying Authority have a clue who you are? Do they care? Mark Foster (Dec 05)
- Re: Does your Certifying Authority have a clue who you are? Do they care? Valdis . Kletnieks (Dec 05)
- Re: Does your Certifying Authority have a clue who you are? Do they care? Suresh Ramasubramanian (Dec 05)
- Re: Does your Certifying Authority have a clue who you are? Do they care? Deepak Jain (Dec 05)
- Re: Does your Certifying Authority have a clue who you are? Do they care? Peter Galbavy (Dec 05)
- Re: Does your Certifying Authority have a clue who you are? Do they care? Steven M. Bellovin (Dec 05)
- Re: Does your Certifying Authority have a clue who you are? Do they care? Damian Gerow (Dec 05)
- Re: Does your Certifying Authority have a clue who you are? Do they care? Suresh Ramasubramanian (Dec 05)
- Re: Does your Certifying Authority have a clue who you are? Do they care? Joe Abley (Dec 05)
- Re: Does your Certifying Authority have a clue who you are? Do they care? Bob Beck (Dec 05)
- Re: Does your Certifying Authority have a clue who you are? Do they care? Joe Abley (Dec 05)