Re: [cap-talk] A petname toolbar for Firefox
Ka-Ping Yee
cap-talk at zesty.ca
Fri Feb 18 22:22:37 EST 2005
On Sat, 19 Feb 2005, [iso-8859-1] Tyler Close wrote:
> Under HTTPS, the end entity certificate typically has a lifetime of only
> 1 year. The only persistent identifier for the site is the ( domain
> name, CA public key ) pair.
I see. That makes more sense now. But why do you go all the
way up to the root instead of just one level to the CA that
issued the site's certificate? I thought the root's certificate
only vouches for the identity of its subject, not for the
subject's trustworthiness (and all its descendants' trustworthiness)
at managing its namespace. I guess i'm unclear on exactly what
commitment is represented by a certificate higher in the chain.
> The above, among other reasons, is why petnames are much more powerful
> when used in tandem with HTTPSY. Perhaps we can get there in stages.
It seems to me that the phishing problem would be much easier
to solve if we encouraged all sites to use self-signed certificates
and switched browsers to use HTTPS by default before falling back
to HTTP.
-- ?!ng
More information about the cap-talk
mailing list