I totally agree with what you are saying - and maybe there is a business opportunity in there.... a CA could issue 2 types of SSL certs - 1) based around the current model that simply asserts the identity of the server; 2) that additionally asserts that the company has passed some sort of cursory security audit surrounding the server. But then how far do you expand the realm of that audit?? Who cares if the server is locked down tighter than a banker's wallet if as you say the SQL back end is more open than Janet Jackson's bodice....
Call it a network audit then, obviously automated processes don't care if they scan 1 host or 50... However most smaller websites, the kind that don't get patched and subsequantly get infected with worms and chew all the bandwidth on the internet, are usually on the same server as the website, which is more specifically what my point was aimed at, *usually* larger firms have their own audits because it's becoming too embarressing for companies not to these days...
-- Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
