Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
randy at psg.com
Mon Sep 12 14:46:46 UTC 2011
> But Gregory is right, you cannot really trust anybody completely. Even
> the larger and more respectable commercial organisations will be
> unable to resist <insert intel organisation here> when they ask for
> dodgy certs so they can intercept something..
> No, as soon as you have somebody who is not yourself in control
> without any third party verifiably independent oversight then you have
> to carefully define what you mean by trust.
i am having trouble with all this. i am supposed to only trust myself
to identify citibank's web site? and what to i smoke to get that
knowledge? let's get real here.
with dane, i trust whoever runs dns for citibank to identify the cert
for citibank. this seems much more reasonable than other approaches,
though i admit to not having dived deeply into them all.
More information about the NANOG