From: "Scott Bellware" <sbellware(_at_)hotmail(_dot_)com>
And we wouldn't even have eCommerce if it
weren't for the trust that we already put in certificate authorities like
VeriSign and Thawte.
...
That is technically wrong, although perhaps politically correct.
The politicial aspect is that people who don't have any idea or
interest in the technical details have been helped to overcome
their fears of "eCommerce" by the fig leaf of comemrcial PKI.
The certificates sold by VeriSign and Thawte have nothing to do with
any trust in any merchant by anyone with the least understanding of
how the system works. The trust any minimally knowledgeable person
has in "eCommerce" is based on the consumer protection laws on credit
cards and personal due diligence.
Just as with PGP keys, a VeriSign, Thawte, or other commercial
certificate says nothing about whether the vendor or other outfit on
the other end of an SSL or TLS connection is a crook. Those certificates
merely make some already very unlikely attacks on your data slightly
less likely. Namely they make some man-in-the-middle attacks less
likely. They don't eliminate MIM attacks because of holes in DNS
security. When (and if) DNSSEC arrives, those holes will finally be
plugged, no thanks to commercial PKI.
The confidentiality of your credit card number or other private
information on Internet wires is provided by mechanisms that do not
require any sort of PKI.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg