| gabriel rosenkoetter on Tue, 28 Jan 2003 16:13:17 -0500 |
|
On Tue, Jan 28, 2003 at 02:18:43PM -0500, Fred K Ollinger wrote: > Which I think is silly b/c what's to stop someone from putting up a > javascript that says that it's from Verisign? At some point, they are > going to have to trust _you_, if it's not trusting your key, it's trusting > that you really got a key from Verisign. Uh... because I can always tell my web browser to display the server's key and verify it myself? Because I use w3m, which does do SSL and doesn't do JavaScript? Because no JavaScript will make either Netscape, Mozilla, or IE close their little lock icon? The consumer does need to watch carefully, but SSL-enabled web browsing and purchasing can and does work just fine. > There are probably ways of cryptographically proving that the keys are > only from Verisign, but I'm willing to bet that not only do most people > not know how to do that, but most of them have no reason to trust Verisign > over you. That's *precisely* how the system works. It's not like PGP, which uses public key techniques. SSL uses stream ciphers with a trusted third party verifying that partners are who they say they are. (In this case, it's not a reciprical situation, because the vendor isn't being asked to trust you, though it'd work just fine if it were.) Without the trusted third-party, the authentication protocol breaks down utterly (though you can still trust the enciphering portion of it). If that doesn't make sense, go find a copy of Bruce Schneier's "Applied Cryptography". > So, make your own key. If you don't need authentication, sure. -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgphLalMdHb1p.pgp
|
|