On Nov 5, 2010, at 8:29 AM, Les Mikesell <lesmikesell at gmail.com> wrote: > So if you really want privacy you need to run another layer of encryption end to > end with an uncommon cipher? Yes, or only trust those CAs that you know you can trust. Use web browsers you can fully trust don't embed CA trusts and fully manage the CA trust database you can see. If we could start the whole certificate thing over I think it would have been better to have a trust "registrar" rather then a bunch of semi-trusted authorities. Then any corporation can create their own CA and register that CA with a registrar with proof of identity, then manage their own certificates and CRLs. It might not be too late to do so, you could even use DNS TXT objects to provide URLs to these CAs stored in a database for quick browser lookups. Just need to get a browser like Firefox to back the idea and a procedure to verify the trust and have that stored in the browser's trust database along with better CRL checking. -Ross