[65702] in North American Network Operators' Group
Re: Does your Certifying Authority have a clue who you are? Do they care?
daemon@ATHENA.MIT.EDU (Joe Abley)
Fri Dec 5 11:35:22 2003
In-Reply-To: <200312051601.hB5G1ips012936@turing-police.cc.vt.edu>
Cc: Adi Linden <adil@adis.on.ca>, nanog@nanog.org
From: Joe Abley <jabley@isc.org>
Date: Fri, 5 Dec 2003 11:26:22 -0500
To: Valdis.Kletnieks@vt.edu
Errors-To: owner-nanog-outgoing@merit.edu
On 5 Dec 2003, at 11:01, Valdis.Kletnieks@vt.edu wrote:
> On Fri, 05 Dec 2003 09:28:05 CST, Adi Linden said:
>> While the ssl certificate is meant to verify the owners identity, as a
>> consumer I would never trust a ssl certificate for that purpose. It
>> does
>> provide a reasonable effort to keep information between me and the
>> server
>> confidential. That's worth something, I guess.
>
> So what does the PKI actually buy you that using a throwaway
> self-signed cert
> doesn't provide?
There is an expectation that URLs which do not produce "this
certificate is not trusted" messages are safe for people to use to
disclose sensitive information like credit card numbers. The average
consumer has been educated to this effect at great length by
commerce-oriented websites and browser vendors.
It doesn't matter whether the expectation is reasonable; what matters
is that the expectation exists.
If there's a risk that people will be afraid to type credit card
details into a merchant's web page, and that risk can be reduced by
spending some relatively small number of dollars with a CA, then
merchants will spend the dollars, and the myth is perpetuated.
You could try and re-educate the market, but since there's no money in
teaching people not to trust CAs, it's difficult to see who would do
the re-education.
Joe
