[linux-elitists] SSL security certificates

billy@damaged-world.net billy@damaged-world.net
Thu Apr 10 17:36:01 PDT 2003


On Thu, Apr 10, 2003 at 03:52:01PM -0700, Aaron T Porter wrote:
> On Thu, Apr 10, 2003 at 03:30:52PM -0700, Rick Moen wrote:
> > And before someone suggests it yet again:  The biggest reason there
> > isn't a cheap or free geek collective to run a certificate authority
> > with the aim of getting it included in common Web browsers is legal
> > liability.
> 	While being included in common web browsers may not be a
> reasonable/desireable goal, I have been thinking about setting up a "free
> geek collective" certificate authority. 
> 	What I'm imagining is a system that uses a PGP/GPG ring of trust
> to establish identity and then building some sort of a "Six Degrees"
> social network to establish the validity of a certificate request. I'm
> still not 100% certain that a reliable network of trusted friends would be
> large enough to be of general use or if opening a private group certificate
> authority to the public is a fantastic idea, but I'm think it might work.

	The "web of trust" is even more broken than the Thawte/Verisign
	scam. 

	Once you start delagating assurances like this , you've fucked 
	yourself.

	No one in their right mind would trust it more than they would a
	self-signed certificate. 

-- 
"Fiat justitia et ruat caelum"
(Let justice be done though the heavens fall.)
--legal maxim originating with the Senate of Rome.



More information about the linux-elitists mailing list