Does a user of ssl services care to know absolutely that they are communicating verifiably with whom they believe they have contacted, or does the user care to know absolutely that their communication is completely private? I believe that the latter is most important; transparency through certificate presentation is kept deliberately expensive and is, as has been noted, often disclaimed by CAs, and is compromisable. It's an artificial system of site security perpetuated by the interests of commercial browsers. Why can't self-verification be promoted? Why can't an nslookup call be built into certificate presentations? Yeah I know there's no money in it and certs are one of the few things that actually makes money on the net, but sometimes the built-in dumbing of the commercial internet user by their browser goes too far. The pure truth of mathematical encryption is sold and packaged as a "certificate" to the internet user, when in fact its power and utility is free of charge, and it is only disclaimed with respect to future or unknown developments.
Stef Caunter [EMAIL PROTECTED] ########################## $ find /self -ctime +1 ###################################### --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
