What stops company X from making a "pact" with company Y? If company X is getting DoS'd, then company Y helps defend by launching their own counter-strike.
You're fine until someone kills Archduke Ferdinand.
I've discovered a method to turn a single processor computer into a dual processor machine! First go into the BIOS and turn Hyper-Threading on. Finish booting the system. Now get a hacksaw. Hit reboot and quickly saw the processor in half. Before the system restarts, kill the power. Take the left half of the CPU and put it in the second processor slot. Start the system again and everything should be working wonderfully!
To make any such scoring scheme work, you'd need some good way of calculating the "accumulated validity" of a visited site's identity, based on the trustworthiness scores of the signing CAs.
Yeah, I hadn't thought that through. I suppose a lot of shady or careless companies get their signing authority from someone else's root certificate.
So, a system like you describe exists!
This happens to me all the time. Apparently I'm good at design but terrible at research.:)
About your last point: why is the "one step removed from the CA" useful
I suppose I should clarify what I meant by that. If you look at the certificate path for a site like E*TRADE, everything is signed by Verisign even if it isn't done directly from their root certificate. I guess I'm saying that some users may not feel as confident about a certificate trusted by a friend of a friend that they've never met compared to a gigantic, "respectable" corporation. I suppose this perception could change if signed/encrypted email really takes off and more people get comfortable with the technology.
Let me clarify my idea a bit. I was thinking of something along the lines of a scale from 1 to 10, where 1 is "untrustworthy," 5 is "trustworthy," and 10 is "extremely trustworthy." All of the trusted root certificates would default to 5 (or whatever), and it would be up to the user or site administrator to adjust the values if they wanted. Most end users probably wouldn't care, but those who did would be able change these settings and receive the appropriate notification via a browser icon. This is a quick and easy modification that could be done without changing the current system.
I agree that the trust web idea is pretty cool. However, there's something to be said for being one step removed from the certificate authority, especially for financial transactions (and regardless of your trust architecture).
I would be willing to pay a good CA for actual verification, even as a client, if i could be sure that they were actually verifying the folks they issued certificates to.
A cool idea would be to assign a "trustworthiness value" to each trusted root certificate. Then browsers could do something with the lock icon and/or use a tooltip to notify the user. CAs that don't care much about verification or that support fraud would be at the bottom of the scale.
Verisign does. After failing to get an account migration problem fixed via email, I finally resorted to calling them. The rep asked for my username and password to verify my identity and couldn't understand why I refused to give out my password over the phone. I asked him if the passwords were stored in their database in plaintext or if he was going to check it by logging on, but he wouldn't tell me.
Where real starts to bother me is the registry entry that runs something every time you boot. And if you delete said registry entry, it replaces it the next time you run the program.
You can usually leave the key in the Run section of the registry and just delete the value (the path to the program). A blank key won't do anything and won't throw any errors. Many applications only check for the existence of their keys and never realize that they're empty. I'm not sure about Real software, but this trick works for a lot of other stuff.
Everyone please take the time to configure your gateways to drop outgoing packets with spoofed source addresses. This doesn't take long and potentially saves everyone else a ton of grief. Logging these funny packets is also a good way to tell if a machine on your network has been compromised.
I think it's slow news day stuff. Some company is always suing some other company, so it's not hard to fill the gaps with lawsuit news. Personally I find these stories the least interesting part of Slashdot.
Thank you for posting Slashdot standard comment #14. As always, this greatly enhanced the discussion of [Novell Headed To Linux Enterprise Desktop In Asia]. We hope you continue to make similar contributions in the future.
You just did. They're going to use nmap on you, discover that you're running Linux, get your name and street address from your ISP and then send you a bill in the mail.
The major problem I see is that when something has been free for so long, people will be hesitant to pay for it. The perceived value is already zero. Imagine if Microsoft started charging $2 for Internet Explorer. No one would go for that.
Slashdot Mirror
You're fine until someone kills Archduke Ferdinand.
I've discovered a method to turn a single processor computer into a dual processor machine! First go into the BIOS and turn Hyper-Threading on. Finish booting the system. Now get a hacksaw. Hit reboot and quickly saw the processor in half. Before the system restarts, kill the power. Take the left half of the CPU and put it in the second processor slot. Start the system again and everything should be working wonderfully!
Yeah, I hadn't thought that through. I suppose a lot of shady or careless companies get their signing authority from someone else's root certificate.
So, a system like you describe exists!
This happens to me all the time. Apparently I'm good at design but terrible at research. :)
About your last point: why is the "one step removed from the CA" useful
I suppose I should clarify what I meant by that. If you look at the certificate path for a site like E*TRADE, everything is signed by Verisign even if it isn't done directly from their root certificate. I guess I'm saying that some users may not feel as confident about a certificate trusted by a friend of a friend that they've never met compared to a gigantic, "respectable" corporation. I suppose this perception could change if signed/encrypted email really takes off and more people get comfortable with the technology.
I agree that the trust web idea is pretty cool. However, there's something to be said for being one step removed from the certificate authority, especially for financial transactions (and regardless of your trust architecture).
A cool idea would be to assign a "trustworthiness value" to each trusted root certificate. Then browsers could do something with the lock icon and/or use a tooltip to notify the user. CAs that don't care much about verification or that support fraud would be at the bottom of the scale.
Verisign does. After failing to get an account migration problem fixed via email, I finally resorted to calling them. The rep asked for my username and password to verify my identity and couldn't understand why I refused to give out my password over the phone. I asked him if the passwords were stored in their database in plaintext or if he was going to check it by logging on, but he wouldn't tell me.
You'll have to pry my keyboard from my cold, dead hands!
You can usually leave the key in the Run section of the registry and just delete the value (the path to the program). A blank key won't do anything and won't throw any errors. Many applications only check for the existence of their keys and never realize that they're empty. I'm not sure about Real software, but this trick works for a lot of other stuff.
I found this cool program the other day, but it needed the C standard library... I'll pass for now.
Everyone please take the time to configure your gateways to drop outgoing packets with spoofed source addresses. This doesn't take long and potentially saves everyone else a ton of grief. Logging these funny packets is also a good way to tell if a machine on your network has been compromised.
Did you just give out your IP address to all of Slashdot? Probably not the best plan.
A 10-layer DVD would be pretty cool.
I think it's slow news day stuff. Some company is always suing some other company, so it's not hard to fill the gaps with lawsuit news. Personally I find these stories the least interesting part of Slashdot.
Try here.
Invest in a pipe manufacturer.
Not a problem. Just make a photocopy first.
-The Management
Why did you post that? There's nothing worse than a useless comment.
I'm waiting for the Tux armbands.
"My house has never caught fire. Why should I help pay for the fire department?"
You just did. They're going to use nmap on you, discover that you're running Linux, get your name and street address from your ISP and then send you a bill in the mail.
Here's the overview from the manual.
If you're not going to do the real thing, why not just make a software replica?
The major problem I see is that when something has been free for so long, people will be hesitant to pay for it. The perceived value is already zero. Imagine if Microsoft started charging $2 for Internet Explorer. No one would go for that.
And people thought I was weird because I listened to music made with shopping carts, steel pipes and plastic waste bins.