On Tuesday, Mar 25, 2003, at 12:28 US/Eastern, bear wrote:
On Tue, 25 Mar 2003, Anne & Lynn Wheeler wrote:
the other scenario that has been raised before is that the browsers treat
all certification authorities the same .... aka if the signature on the
certificate can be verified with any of the public keys in a browser's
public key table ... it is trusted. in effect, possibly 20-40 different
manufactures of chubb vault locks .... with a wide range of business
process controls ... and all having the same possible backdoor.
Furthermore, the consumer doesn't get to choose which chubb lock is being
chosen.
Of course the consumer gets to make that choice. I can go into my browser's
keyring and delete root certs that have been sold, ever. And I routinely
do. A fair number of sites don't work for me anymore, but I'm okay with
that.
Go tell that to Joe Average. Or your mom. Or my sister. Or the average MSN user. You know, the insignificant group of people that make up the majority of the Internet population these days.
"If the lock icon is displayed it is safe."
Of course the consumer doesn't get to choose. Just like the consumer never, ever gets to use all of the features on his VCR[*]. This is an software agent deficiency. A UI issue: presently the UI doesn't facilitate the consumer in making that choice.
Cheers, -J
[*] I'm *not* talking about TiVo here, just about old-fashioned VCRs. -- Jeroen C. van Gelderen - [EMAIL PROTECTED]
"Be precise in the use of words and expect precision from others" -- Pierre Abelard
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]