In either case, we wouldn't need to worry about paying Verisign or anyone else if we had properly secured DNS. Then you could trust those pop-up self-signed SSL cert warnings.
actually, if you had a properly secured DNS .... then you could trust DNS to distribute public keys bound to a domain name in the same way they distribute ip-addresses bound to a domain name.
the certificates serve two purposes: 1) is the server that we think we are talking to really the server we are talking to and 2) key-exchange for establishing an encrypted channel. a properly secured DNS would allow information distributed by DNS to be trusted .... including a server's public key .... and given the public key .... it would be possible to do the rest of the SSL operation (w/o requiring certificates) which is establishing an agreed upon session secret key.
--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
