On 3/13/2010 1:10 AM, MFPA wrote: >> Each of these adds a given amount of risk, that really should be >> made transparent to end-users IMHO. > > > I think you might mean the risk should be made *clear* to end-users? > Security is already *transparent* to end users visiting a "secure" website > whose root certificate the browser already trusts.
I guess you could think of it that way. I guess what I'm trying to say is that there might be instances where your security requirements aren't in line with what your browser already trusts. And there has to be a method to improve that and make it more "clear" / "transparent" / etc. >> Some belong to well known CAs, while others belong to less reputable >> ones. > > A lot there that I've not heard of. Could be perfectly reputable, but > I am unaware of their reputation... Again 'repute' in this context is relative. People's gold-standards can vary. I might be comfortable in trusting CA-A because they've actually never ever screwed up in the past, while I wouldn't feel the same way with CA-B because they actually have. It all goes back to how you define your security requirements. Steve Gibson on his podcast, Security Now, once talked about how a certificate from a well known CA was spoofed because of a weak hash algorithm that was used in signing. -- erythrocyte _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
