[82452] in North American Network Operators' Group
Re: Non-English Domain Names Likely Delayed
daemon@ATHENA.MIT.EDU (Joe Abley)
Mon Jul 18 22:42:22 2005
In-Reply-To: <0F7F9A82BB0DBB4396A9F8386D0E06120EECB3@pos-exch1.positivenetworks.net>
Cc: <nanog@merit.edu>
From: Joe Abley <jabley@isc.org>
Date: Mon, 18 Jul 2005 22:41:22 -0400
To: "Jason Sloderbeck" <jason@positivenetworks.net>
Errors-To: owner-nanog@merit.edu
On 18 Jul 2005, at 18:43, Jason Sloderbeck wrote:
> I don't know of any other IEEE/NANOG/IETF/ICANN-sanctioned method to
> completely confuse even a savvy IT user who is trying to determine the
> validity of an SSL site.
>
If I was feeling especially cynical (and hey, who isn't on a Monday?) =20=
I'd say that the validity of an SSL site is a lot harder to judge =20
than people think, and a savvy IT user would do well to trust very =20
few of them.
For a well-known common name with a global reputation, you might have =20=
a reasonable expectation that a successful wander down a certificate =20
chain might be worth trusting: a CA would have to be fairly remiss to =20=
issue a certificate to some random customer who claimed to be Amazon =20
or Microsoft (or Am=E4zon or Micr=F8soft, for that matter).
However, when it comes to a web store whose name isn't well-known, =20
"good certificate" frequently means little more than "the operator of =20=
the site is able to mark up some letterhead and send a fax".
And of course, nobody here would be guilty of clicking "accept" on a =20
warning that the validity of a self-signed certificate cannot be =20
determined. Thought not.
Maybe a bit of healthy distrust is overdue for injection into the CA =20
economy.
Joe
