Chris Palmer <[email protected]> writes: >So, what's the way forward with this line of reasoning, again?
The OP said "this is an analogy for browser PKI". I said "no this is probably a better analogy". That was about as far as we'd gone :-). Having said that, it does allow you to reason about ways out. For example what if the browsers provided a mechanism where a CA could make a statement like "any time you see a certificate from _our CA_ (not 'any CA at all', just _our CA_) you can be assured that it's a legitimate business that will protect your credit card details (e.g. by being PCI-DSS certified) and not infect your machine with malware (via a third-party audit/scan)" (and if you want to get pedantic, add an implied "to the best of our ability to tell" to the above statements). Or what if the browsers allowed something other than "pay a CA or your customers will be scared away" as a security mechanism? Peter.
