I'm glad someone wants to audit the system. We trust these certs with our banking info, I think asking to prove their house is in order is a good thing. The integrity of the whole system relies on it.
Webwork
6:50 pm on Sep 9, 2011 (gmt 0)
I wonder what role this played in reference to my experience earlier today, reported here [webmasterworld.com...]
graeme_p
6:08 pm on Sep 12, 2011 (gmt 0)
The whole system is flawed.
It would be far better to use a system whereby those we really had to trust (like banks) provided certificates off-line.
For sites that require lower security, a system based on alerting users to changed certificates - like ssh does with server keys.
wheel
6:15 pm on Sep 12, 2011 (gmt 0)
There is no, and never has been any, security around the actual owner/identity of the cert holder. Forget that nonsense, all you know is that the transmissions are encrypted.
Jeepers, the place I use for my security certs uses an automated phone call to me.
The flaw in the system is the idea that certs from third parties are any better than self signed certs. The problem with 'trust' of certs is a farce enabled by browsers. They should get rid of that entire signing authority and trust the certs as valid or not and be done. Because we can clearly see where trusting browsers to determine which cert authorities to trust is getting us.
