Ka-Ping Yee wrote: > But, as i said, right now Mozilla doesn't seem to have the power to hold > Verisign accountable for its errors. It would be good to find ways > to hold CAs more accountable. Part of the problem is that the structure > of PKI strengthens monopolies: as a web user, you don't have the option > to choose which CAs you trust. When you go to a bank website, you only > get a signature from a single CA -- take it or leave it. In that > position, you can't exert any competitive pressure on CAs. The power > balance might be different if the SSL protocol turned this around: > browsers and browser users select the CAs they trust, then the browser > tells the website what CAs it will accept and the website must present an > acceptable certificate. This would encourage websites to get certificates > from many CAs, hoping to meet the standards set by the users. > > > Not feasible, but one of the better ideas I heard lately! :-)
-- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
