The DV certs are those cheap http://www.nlnetlabs.nl/publications/dnssec_howto/#x1-290003.4 The administrator of the zone file can sign the zone.
"We do need a class of certificate that simply verifies that we're talking to the host we expect to be talking to " See Bruce Schneier's Practical Cryptography for digital ID's.
"The browsers by default won't warn you if say your US bank's server cert is one day signed by CNNIC (China) while you're in China. Or vice versa." If you don't trust one of the Root CA's, delete it from your browser's certificate store. I do.
Slashdot Mirror
Some background:
http://www.digicert.com/dv-ssl-certificate.htm
(No, I don't work for digicert)
The DV certs are those cheap http://www.nlnetlabs.nl/publications/dnssec_howto/#x1-290003.4 The administrator of the zone file can sign the zone.
"We do need a class of certificate that simply verifies that we're talking to the host we expect to be talking to "
See Bruce Schneier's Practical Cryptography for digital ID's.
"The browsers by default won't warn you if say your US bank's server cert is one day signed by CNNIC (China) while you're in China. Or vice versa." If you don't trust one of the Root CA's, delete it from your browser's certificate store. I do.
How short our internet memory is... http://www.eff.org/Censorship/Indymedia/ Remember when the US went through the UK to get Italy to seize servers?