-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Friday 13 August 2004 11:08 am, Mark C. Langston wrote:
<snip>
In the larger sense, this boils down to how much one trusts the
centralized authority granting accreditation.
<snip>
Exactly. Accreditation doesn't equate with "good" or "legitimate". It is
just one entity's opinion of another.
In the case of Verisign, they currently accredit, just by issuing a SSL
certificate:
- That the domain has paid $300
- That there has been additional background checks
- That they "really do" own the domain
Should Verisign get slack or hand out SSL certificates for cheaper to
certain individuals, then we will stop trusting them.
Maybe Verisign isn't consciously accrediting their customer's email
worthiness. That is irrelevant. What is relevant is whether their email
worthiness is related to the fact that they have an SSL certificate from
Verisign, and whether we can trust them as an accreditor.
Now as far as centralized, accreditation services don't have to work that
way. They can be distributed. (Think PGP.)
As far as authority, no one can take authority for themselves. Rather, they
are given it until such a time that they are no longer trusted with it. (cf
Declaration of Independence) Verisign built up its good name by begging for
people's trust and then maintaining that trust.
- --
Jonathan M. Gardner
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFBHTI1BFeYcclU5Q0RArApAKCd12GBadYoIoHE6A4XaPJFZvoJDACgtmbu
4d3h9KQK9BNorA/SIBfhBFg=
=SFWT
-----END PGP SIGNATURE-----