[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Sun, Apr 28, 2013 at 8:58 PM, Brad Rogers wrote: >>the "web of trust" of certificate authorities to the point where many > > The cert authorities don't do web of trust, unless I've missed > something. They simply sell a 'certificate' to anyone with the money to > pay for it. You or I could buy one. It's a bit like a web of trust. Browsers have a (hard-coded) list of root authorities and their public keys and when you make an SSL connection, the certificate needs to be signed by an authority that can be chained back to one of these root authorities. If not, you can't continue, unless you allow the certificate. When you or I buy a certificate, some very basic checks are performed that help them make sure you own the domain you buy a certificate for. (You can also buy a Very Secure certificate, in which case they perform some more rigorous checks.) I don't know if it's easy to buy a certificate for a domain you don't own, but I don't remember anything like that making the news. What have made the news are certificate authorities that were broken into so that others could create certificates for google.com and some other big names. (Things were a little worse back then as browsers didn't check for revoked certificates.) > The reasons for requiring ID to open a bank account were stated to be to > stop money laundering. It didn't work. Money laundering still occurs. > Of course, it's a good idea for the bank to make enquiries about the > identity of the person attempting to open an account in any case. I merely mentioned this, as this is the moment where you could exchange keys (or exchange something else - like a postal address and a phone number -, that could later be used for the key exchange). > Not just banks, of course. It starts getting more complex when you Cc > and/or Bcc people at he same time. Yes - I meant this as encrypted communication between two entities, say a bank and its customer. > Whilst that's probably true, thee are a few things that imply create the > illusion of security; The card readers that some banks require you to > use if you wish to transfer money out of your account won't stop anyone > using your card details to make purchases at, say, Amazon. Another fake > security measure is the 3 digit code on the back of all credit & debit > cards; Once you give that number to somebody, what guarantee is there > that they haven't copied it, along with all your other card details? > None. That's all true, of course. (I think it's illegal for a shop to store the 3-digit code, but I don't know how well this is actually checked.) Martijn. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq