Why would it matter who signed it? As long as the data is encrypted as it travels over the internet, I am happy.
Because encrypted is only half the battle. Trusting that $entity is really $entity is the other half.
Most end-users aren't smart enough to verify that when they hit https://www.chase.com (or whatever) that the other end really *is* Chase -- that's what they pay Verisign for -- because we have at least *some* faith that Verisign took the time to ensure they issued it to the right person.
Nevermind that certificates get issued to things like chase-inc.com and the wrong people. That's another problem.
/mike. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/