Well a few thoughts, mostly chaotic, BWTH..
There is no need to obtain a CA from verisign for big $$$. You could go to any number of free CA (thawte comes to mind) to get yourself a personal certificate.
However perhaps for perlmonks (hypothetically speaking) there might be a simpler plan, simply get an OpenSSL build and generate a root cert for the site. Then every time a user signs up issue them with their own certificate using this as a root CA. Explicitly trusting a certificate or authority when the exchange is of non critical information should be no problem. Any time a user wanted to post authenticable material they could email it signed or encrypted to the site or perhaps prepackage it as s/mime and post it that way. Once you learn OpenSSL little tricks (and there are a few :-) it is relatively easy to use it and MIME::Entity to facilitate secure arbitrary payloads. On the other hand how they meld with the visual interface of a web page is another story.
For me it all comes down to trust. Trust that the same person whose posts I have seen before is indeed the author of some document, or trust that this person is not a risk. And in the case of e-commerce the risk is not the value of the transaction being undertaken but simply the insecure exchange of financial details. For that kind of data I want to know that the information will not be abused, and to do that I need some form of validation beyond simply identity uniqueness.
On the other hand I like the idea that users of a forum like this have an easy way to authenticate posts and thus prove their identity, even if the true details of that identity are anonymous like they are here.
Yves
--
You are not ready to use symrefs unless you already know why they are bad. -- tadmc (CLPM)
In reply to Re: Re: Re: Digital Signatures on Web Pages
by demerphq
in thread Digital Signatures on Web Pages
by John M. Dlugosz
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |