On Thu, Mar 24, 2011 at 15:12:56 -0430, Patrick O'Callaghan <pocallaghan@xxxxxxxxx> wrote: > > Even if that's true, it doesn't belie what I just said. If you don't > trust the CA, don't use their services at all. There is a difference between trusting them to certify a site and to not resell data about you. Some people may trust them for one of these but not the other. But for the record I do remove the certificates in firefox as the certification of some CA who talked a browser manufacturer into including their certs doesn't provide significant weight with me. > There does not exist, and never can exist, a means of securing > communication between two parties that don't trust each other unless > they both decide to place some level of trust in a third party. CAs are > just one way to do that (and clearly they need to get their act > together). Web-of-trust mechanisms are another but I don't know of any > mainstream browsers that support them. Web of trust is better than hierarchical for general use. But also it would be have been nice if browsers were design to help you make sure you are communicating with the same entity as the last time. (Sort of like how ssh does things.) For cert changes, one could sign new certs with the old ones. The current warning system is more like a protection racket that a security system. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
