Off-topic-ish...
Now that $10 at GoDaddy buys a certificate, how safe is SSL anyway?
Hypothetical thought: Visa issues a USB Smart Card with it's own trusted CA root for website certs that it's member (customer or whatever it is now) banks have issued. There are then usage restrictions on the card's private key, so it can only be used on those sites.
Posted by Thomas Barker at July 10, 2008 07:53 PMStill off-topic, but this is my pet peeve...
>Now that $10 at GoDaddy buys a certificate, how safe is SSL anyway?
Not very. This is what disgusts me about the whole x.509 PKI system.
There are some 100 root certs installed by default in my browser, some owned by companies I've never heard of, and I'm supposed to trust every one of them.
And when has a certificate ever meant more than that its holder possessed a valid credit card and spent $X on it? The x.509 system is more of a money-making scheme implemented as a private tax on e-commerce than anything else. Is any certificate authority going to do any more checking of your identity than necessary to charge your credit card before they issue you a cert? I think not. They might look up who you are a little more if you want one of those Extended Validation certs, but I really doubt they are going to trek down to the courthouse to verify your business's incorporation documents before issuing you a pretty green cert. After all, they wouldn't want to lose a potential sale on a $300+ cert by checking somebody out TOO carefully.
And really, it is far beyond the scope of any certificate authority to make a judgment as to whether or not you should trust a particular company with your credit card details. Not even the BBB is any good for that.
So, back on topic, we are still dependent on basic DNS security, common sense, and a healthy dose of skepticism online.
Posted by anon at July 10, 2008 10:24 PM"It is ridiculous but it's no more ridiculous than the way a lot of people cling to failed ideas. Keynes said "It's not bringing in the new ideas that's so hard. It's getting rid of the old ones." And Einstein said it better, attributing his mental success to "curiosity, concentration, perseverance and self-criticism." By self-criticism he meant becoming good at destroying your own best-loved and hardest-won ideas. If you can get really good at destroying your own wrong ideas, that is a great gift."
-Charlie Munger
X.509 isn't about trust, it's about the level of confidence that people are telling the truth/acting in good faith. Trust is fluid and changes all the time it certainly isn't black or white and certainly isn't told to us by faceless multinational corps. well regretably there is sheeple I suppose.
However back to trust, would you trust someone you just met with your car keys/child because they had a X.509 cert signed by verisign?
In any case we don't need X.509, OpenPGP works just fine in exactly the same manner, now if only there were some other people capable of helping me code web browser plugins I'm sure we'd all be better off.
As for DNS
http://www.ietf.org/internet-drafts/draft-groth-dns-encryption-02.txt
http://www.ietf.org/internet-drafts/draft-groth-dns-encryption-02.pdf