On 18 Jul 2005, at 18:43, Jason Sloderbeck wrote:
I don't know of any other IEEE/NANOG/IETF/ICANN-sanctioned method to completely confuse even a savvy IT user who is trying to determine the validity of an SSL site.
If I was feeling especially cynical (and hey, who isn't on a Monday?) I'd say that the validity of an SSL site is a lot harder to judge than people think, and a savvy IT user would do well to trust very few of them. For a well-known common name with a global reputation, you might have a reasonable expectation that a successful wander down a certificate chain might be worth trusting: a CA would have to be fairly remiss to issue a certificate to some random customer who claimed to be Amazon or Microsoft (or Amäzon or Micrøsoft, for that matter). However, when it comes to a web store whose name isn't well-known, "good certificate" frequently means little more than "the operator of the site is able to mark up some letterhead and send a fax". And of course, nobody here would be guilty of clicking "accept" on a warning that the validity of a self-signed certificate cannot be determined. Thought not. Maybe a bit of healthy distrust is overdue for injection into the CA economy. Joe