Well a few thoughts, mostly chaotic, BWTH..

There is no need to obtain a CA from verisign for big $$$. You could go to any number of free CA (thawte comes to mind) to get yourself a personal certificate.

However perhaps for perlmonks (hypothetically speaking) there might be a simpler plan, simply get an OpenSSL build and generate a root cert for the site. Then every time a user signs up issue them with their own certificate using this as a root CA. Explicitly trusting a certificate or authority when the exchange is of non critical information should be no problem. Any time a user wanted to post authenticable material they could email it signed or encrypted to the site or perhaps prepackage it as s/mime and post it that way. Once you learn OpenSSL little tricks (and there are a few :-) it is relatively easy to use it and MIME::Entity to facilitate secure arbitrary payloads. On the other hand how they meld with the visual interface of a web page is another story.

For me it all comes down to trust. Trust that the same person whose posts I have seen before is indeed the author of some document, or trust that this person is not a risk. And in the case of e-commerce the risk is not the value of the transaction being undertaken but simply the insecure exchange of financial details. For that kind of data I want to know that the information will not be abused, and to do that I need some form of validation beyond simply identity uniqueness.

On the other hand I like the idea that users of a forum like this have an easy way to authenticate posts and thus prove their identity, even if the true details of that identity are anonymous like they are here.

Yves
--
You are not ready to use symrefs unless you already know why they are bad. -- tadmc (CLPM)