On Tue, Mar 06, 2012 at 11:00:56PM +0000, James Harper wrote:
But I think there is a world of difference between trusting a self-signed cert and a cert that chains to a commercial CA.
Which do you trust more:
1. a certificate signed by a CA cert that was pre-installed into your OS or browser as a result of some corporate deal?
2. a certificate signed by a CA cert that you got directly from your correspondent and installed by you into your browser or OS?
I'd trust #2 of course, if the certificate was handed to me directly by the person who's arse is on the line if things went wrong. What I don't trust is that my bank can deliver that certificate to me in a manner that I would trust any more than the pre-installed CA. You only have to look at the steps banks fail to make in preventing credit card fraud to shake your faith in this. The generation and delivery would be outsourced to the lowest bidder, the tamper evident envelope would be easy to subvert (in terms of the general population being able to identify this), and they'd just use Australia Post to deliver it and place it in your letterbox for anyone to swap over. Even if they made you physically go to the bank to pick up the CA thumbprint there is still plenty of room for it to go wrong. Once you had it in your hands though you are in a much better position than #1. Fortunately, there are hundreds of ways of ripping off the general population without the bad guys having to think about doing any of the above, so I think we're pretty safe for the time being. James