At 09:16 04/06/02 -0600, you wrote: >I have said this before in this group and I will repeat it. I see nothing that would >stop a felon in prison from incorporating a company and getting a cert.
And she should be allowed to. The certificate will say that it was issued to that company. The certificate is entirely legitimate and should be trusted, because what it says is true: "company X exists, and this certificate was issued to company X". >The bottom line is that the theory is fine... but in practice I feel commercial CA's >should be institututions that we already trust - like the local bank or law office. I don't trust your local bank or law office. I don't even know who or where they are. >In practice I think "good" works like this. Any cert that does not fire up a warning >message from the windows machine running the browser would be considered good. This >means that one can use any of many ways to load a "good" cert into the machine. >Windows has a LOT of exploits. Security is only as strong as the weakest link. This >means the end user is probably the biggest security weakness in most cases. Simply >pop up a dialog that asks the user to download the cert you want as a prior step. >Perhaps write a signed active-x control and use it to install your own cert. If the >machine is vulnerable to a virus then one can use that hole to install a cert. This is entirely true. The only browser that can really be trusted is one into which new certificates can never be installed and which refuses to connect to a site if the certificate can't be verified. Whether such a browser would be useful in the real world is another matter. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
