Security by asking the drunk whether he's drunk

Florian Weimer fw at
Sat Dec 27 15:20:27 EST 2008

* Jerry Leichter:

> I got in touch with the company and actually received intelligent
> responses both at their 800 number - I placed my order that way - and
> in a response from their customer service people.  Most remarkable -  
> almost all organizations ignore such communication.  It's ironic that
> those who appear to be trying the hardest are being screwed over by
> the system that's currently in place - and will inadvertently be
> involved in training users to simply bypass yet another kind of bad
> cert warning.

This is also why I don't want browser vendors to remove CAs for which
they haven't got enough documentation, at least at this stage.  After
a few rounds of competitors attacking each other (and themselves as
well, because who knows who controls some of the older private keys
these days), the only CAs left are those where initiating RA
procedures is sufficiently difficult for law-abiding citizens--and
cost is a very likely discriminator in this area.

And for most sites, those extra $$$ are better spent on hosting with
some sort of security monitoring.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list