On Wed, Mar 07, 2012 at 11:25:12AM +1100, Craig Sanders wrote:
3. a certificate signed by several (the more the better) other certificates in a large web of trust.
DNSSEC + DANE looks pretty good too. http://tools.ietf.org/html/draft-ietf-dane-protocol-12 in short: publish a fingerprint for the ssl key as a DNS resource record. still draft, and AFAIK, no browsers support it yet. more interesting reading: http://www.networkworld.com/news/2011/101211-ssl-moxie-marlinspike-251882.ht... (the article refers to the compromises of Comodo, Diginotar, etc as "shocking". anyone who's been paying attention or even thought about how the CA industry works would have said "inevitable" rather than "shocking") and this: http://www.networkworld.com/news/2011/081811-ssl-249874.html which links to Marlinspike's web-of-trust style plugin for firefox: http://convergence.io/ and another implementation of a similar idea, from Carnegie Mellon uni: http://perspectives-project.org/ craig -- craig sanders <cas@taz.net.au> BOFH excuse #225: It's those computer people in X {city of world}. They keep stuffing things up.