[LINK] certificates

Craig Sanders cas at taz.net.au
Sun Jan 14 21:46:06 AEDT 2007 

On Sun, Jan 14, 2007 at 08:49:13PM +1100, Howard Lowndes wrote:
> Craig Sanders wrote:
> >or
> > - is signed by an unknown (and thus untrusted) CA
> 
> Unknown != Untrusted

i didn't say "untrustworthy". i said "untrusted". an unknown CA *IS*
untrusted by the browser, compared to a known CA which *IS* trusted.
whether either of them are trustworthy or not is an entirely different
question.

a browser will pop up a scary-looking dialog box when presented with a
cert signed by an unknown CA. the user then has to decide (with minimal
information) whether to accept/trust that certificate or not. most users
will do one of two things: ignore it and click OK regardless or panic
and click Cancel regardless.



> >or
> > - is a self-signed certificate
> 
> Same as previous, and I've never seen that warning

it's the same as unknown CA.

> >or
> > - doesn't match the site's details (i.e. domain name)
> 
> A common problem for virtual web sites.

only when the site is run by idiots.

it generally means either a) the site is fraudulent or b) the site is
run by morons. in either case, it would be a bad idea to trust them with
your personal or credit card details.


> > if it is signed by a known CA then it's just accepted without any
> > warning or even dialog box. so we're back to the fact that the
> > commercial CAs can't be trusted as there are numerous instances
> > of them signing certificates without bothering to verify identity
> > and even, on some occasions, signing bogus certs for well-known
> > organisations (e.g. in one well-known incident a few years ago, one
> > CA signed a certificate for someone claiming to represent Microsoft
> > Corporation)
>
> A certifcate signed by a "trusted" CA only means that they have paid
> the fee - nothing else.

of course. i never said, or even implied, otherwise. in fact,
i've argued on numerous occasions over the years that the whole
PKI/authorised-CA system in browsers is a massive scam, designed (by
Netscape Inc and perpetuated by Microsoft) purely to turn something that
was infinitely abundant (i.e. provision of encryption certs) into an
artificial scarcity to enable a near-monopoly.


read what i wrote. my point was precisely that you can't necessarily
trust a certificate just because it has been signed by verisign or some
other known CA.



craig

-- 
craig sanders <cas at taz.net.au>           (part time cyborg)

More information about the Link mailing list