Re: Growing Bad Practice with Login Forms

["David Wall @ Yozons, Inc." <dwall () yozons com>]

> Rubbish.  The problem is very real: How do I verify someone's identity,
> if I know nothing about them?  Certificate Authorities solve this
> problem by verifying this unknown person for me - and subsequently
> signing his certificate.  Now, I only need to trust the CA's and their
> vetting process, and I automatically trust the people they've vetted.

But the vetting process for a free email cert is minimal.  I've received
certs for all sorts of other names because it's easy to create email
addresses, including using names like bill.clinton () hotmail com and then
getting a cert for that email address.  And nobody has any other cert today,
so relying on such certs is pointless because they don't exist.  This gets
much murkier when for international communications.  And how do you know to
trust some of the 40+ CAs that are out there?  Verisign once issued two
certs for Microsoft to criminals, and Verisign surely is the leader and a
Microsoft cert certainly must have undergone the utmost rigor, yet there you
have it.

Have you never heard of a forged passport of driver's license?  The more
credentials, the more we're suckered into believing something when we see
the credential, even if the credential is not legit.

And as for SSL, only the web site requires them, and it's rather easy to
trick people into believing they are secure when they are not, including
having a legit cert for a domain that tricks people long enough to do the
crime, like www.microsoft-support.biz or whatever...

David