I don't want to discount the importance of cert discovery, but I do
think it's a stretch to believe that you're going to be willing to
trust all of the certs that you discover in a chain of significant
length, for a significant set of purposes.
We're already trusting chains of signficant length (i.e. DNS delegation)
with no decent verification at all.
That's a good point. PKI on DNS might not be the most trustworthy system
imaginable, but it would probably be an improvement over no PKI. Provided
it doesn't break DNS...
/========================================================\
|John Stracke |Principal Engineer |
|jstracke(_at_)incentivesystems(_dot_)com |Incentive Systems, Inc.|
|http://www.incentivesystems.com |My opinions are my own.|
|========================================================|
|E pui muove! -- Galileo |
\========================================================/