<article>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#article10_02_17_221224</id>
	<title>Mozilla Debates Whether To Trust Chinese CA</title>
	<author>timothy</author>
	<datestamp>1266400920000</datestamp>
	<htmltext>At his Freedom to Tinker blog, Ed Felten has a thoughtful, accessible piece on the <a href="http://www.freedom-to-tinker.com/blog/felten/mozilla-debates-whether-trust-chinese-ca">debate at Mozilla</a> about whether Firefox, by default, should trust a Chinese certificate authority (<a href="//yro.slashdot.org/story/10/02/02/202238/Mozilla-Accepts-Chinese-CNNIC-Root-CA-Certificate">as it has since October</a>). Felten explains in clear language why this is significant, and therefore controversial. An excerpt: <i>"To see why this is worrisome, let's suppose, just for the sake of argument, that CNNIC were a puppet of the Chinese government. Then CNNIC's status as a trusted CA would give it the technical power to let the Chinese government spy on its citizens' 'secure' web connections. If a Chinese citizen tried to make a secure connection to Gmail, their connection could be directed to an impostor Gmail site run by the Chinese government, and CNNIC could give the impostor a cert saying that the government impostor was the real Gmail site."</i></htmltext>
<tokenext>At his Freedom to Tinker blog , Ed Felten has a thoughtful , accessible piece on the debate at Mozilla about whether Firefox , by default , should trust a Chinese certificate authority ( as it has since October ) .
Felten explains in clear language why this is significant , and therefore controversial .
An excerpt : " To see why this is worrisome , let 's suppose , just for the sake of argument , that CNNIC were a puppet of the Chinese government .
Then CNNIC 's status as a trusted CA would give it the technical power to let the Chinese government spy on its citizens ' 'secure ' web connections .
If a Chinese citizen tried to make a secure connection to Gmail , their connection could be directed to an impostor Gmail site run by the Chinese government , and CNNIC could give the impostor a cert saying that the government impostor was the real Gmail site .
"</tokentext>
<sentencetext>At his Freedom to Tinker blog, Ed Felten has a thoughtful, accessible piece on the debate at Mozilla about whether Firefox, by default, should trust a Chinese certificate authority (as it has since October).
Felten explains in clear language why this is significant, and therefore controversial.
An excerpt: "To see why this is worrisome, let's suppose, just for the sake of argument, that CNNIC were a puppet of the Chinese government.
Then CNNIC's status as a trusted CA would give it the technical power to let the Chinese government spy on its citizens' 'secure' web connections.
If a Chinese citizen tried to make a secure connection to Gmail, their connection could be directed to an impostor Gmail site run by the Chinese government, and CNNIC could give the impostor a cert saying that the government impostor was the real Gmail site.
"</sentencetext>
</article>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31178014</id>
	<title>Wow, just wow.</title>
	<author>yttrstein</author>
	<datestamp>1265026800000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext>The authenticity of certs no longer matter, and I'm frankly astonished that neither mozilla nor slashdot has ever heard of ssl taps, an *enormous number* of which are currently active in Chinese public networks.<br><br>It's a man-in-the middle thing, and I run them at work.  They're very easy to configure, and if you really know what you're doing, you can "legitimately" fake the identity of any cert  you want, and every single byte of your traffic is sniffable to whoever runs the tap.</htmltext>
<tokenext>The authenticity of certs no longer matter , and I 'm frankly astonished that neither mozilla nor slashdot has ever heard of ssl taps , an * enormous number * of which are currently active in Chinese public networks.It 's a man-in-the middle thing , and I run them at work .
They 're very easy to configure , and if you really know what you 're doing , you can " legitimately " fake the identity of any cert you want , and every single byte of your traffic is sniffable to whoever runs the tap .</tokentext>
<sentencetext>The authenticity of certs no longer matter, and I'm frankly astonished that neither mozilla nor slashdot has ever heard of ssl taps, an *enormous number* of which are currently active in Chinese public networks.It's a man-in-the middle thing, and I run them at work.
They're very easy to configure, and if you really know what you're doing, you can "legitimately" fake the identity of any cert  you want, and every single byte of your traffic is sniffable to whoever runs the tap.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31178938</id>
	<title>Go back to Peking</title>
	<author>Anonymous</author>
	<datestamp>1265033220000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext>  You nerds talk like the Chinese give a damn about what you want. The Chinese government is not to be trusted, ever! How many times over the last two years has something happened in China regarding the Net where their only response was a Bart Simpson's "it wasn't me", to an outright cyber-attack by organs of their government. Chairman Mao is still alive and well in the hearts of those old men who run China. Don't trust them.</htmltext>
<tokenext>You nerds talk like the Chinese give a damn about what you want .
The Chinese government is not to be trusted , ever !
How many times over the last two years has something happened in China regarding the Net where their only response was a Bart Simpson 's " it was n't me " , to an outright cyber-attack by organs of their government .
Chairman Mao is still alive and well in the hearts of those old men who run China .
Do n't trust them .</tokentext>
<sentencetext>  You nerds talk like the Chinese give a damn about what you want.
The Chinese government is not to be trusted, ever!
How many times over the last two years has something happened in China regarding the Net where their only response was a Bart Simpson's "it wasn't me", to an outright cyber-attack by organs of their government.
Chairman Mao is still alive and well in the hearts of those old men who run China.
Don't trust them.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31178036</id>
	<title>Re:Privacy loss should be opt-out, but never is</title>
	<author>selven</author>
	<datestamp>1265026920000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Don't you mean "loss of privacy should be opt in"? Opt-out loss of privacy means that unless you opt out of losing privacy you lose your privacy.</p></htmltext>
<tokenext>Do n't you mean " loss of privacy should be opt in " ?
Opt-out loss of privacy means that unless you opt out of losing privacy you lose your privacy .</tokentext>
<sentencetext>Don't you mean "loss of privacy should be opt in"?
Opt-out loss of privacy means that unless you opt out of losing privacy you lose your privacy.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177212</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177972</id>
	<title>Re:On the other hand...</title>
	<author>Anonymous</author>
	<datestamp>1265026500000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>I doubt they would mind this setback once they're engaging in full-scale cyber war, as well as conventional/nuclear. They only need it once...</htmltext>
<tokenext>I doubt they would mind this setback once they 're engaging in full-scale cyber war , as well as conventional/nuclear .
They only need it once.. .</tokentext>
<sentencetext>I doubt they would mind this setback once they're engaging in full-scale cyber war, as well as conventional/nuclear.
They only need it once...</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177052</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177640</id>
	<title>The debate is over</title>
	<author>Anonymous</author>
	<datestamp>1265025180000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>The debate is over. The results are in. Mozilla decided to trust the Chinese government CA. A transcript of their email debate can be found at english.gov.cn</p></htmltext>
<tokenext>The debate is over .
The results are in .
Mozilla decided to trust the Chinese government CA .
A transcript of their email debate can be found at english.gov.cn</tokentext>
<sentencetext>The debate is over.
The results are in.
Mozilla decided to trust the Chinese government CA.
A transcript of their email debate can be found at english.gov.cn</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31197866</id>
	<title>So how do I remove it?</title>
	<author>Sunnz</author>
	<datestamp>1266585240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I try to find CNNIC in FireFox I saw verisign thawte and whole heap of others but not CNNIC does that mean I don't have it?</p></htmltext>
<tokenext>I try to find CNNIC in FireFox I saw verisign thawte and whole heap of others but not CNNIC does that mean I do n't have it ?</tokentext>
<sentencetext>I try to find CNNIC in FireFox I saw verisign thawte and whole heap of others but not CNNIC does that mean I don't have it?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31181962</id>
	<title>Re:Why not change of certifcation notification?</title>
	<author>FooBarWidget</author>
	<datestamp>1266490260000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Uh yeah, most people would just think "WTF is this? I just want to read my email *clicks OK*" or "OMG help is my computer infected by a virus? is my computer hacked? HELP!"</p></htmltext>
<tokenext>Uh yeah , most people would just think " WTF is this ?
I just want to read my email * clicks OK * " or " OMG help is my computer infected by a virus ?
is my computer hacked ?
HELP ! "</tokentext>
<sentencetext>Uh yeah, most people would just think "WTF is this?
I just want to read my email *clicks OK*" or "OMG help is my computer infected by a virus?
is my computer hacked?
HELP!"</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31178376</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31181990</id>
	<title>Re:No CA should be trusted by default</title>
	<author>FooBarWidget</author>
	<datestamp>1266490440000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>And that would solve what problem, exactly? People open email attachments named Britney\_Spears\_Naked.exe all the time even if they've never seen the sender before.</p></htmltext>
<tokenext>And that would solve what problem , exactly ?
People open email attachments named Britney \ _Spears \ _Naked.exe all the time even if they 've never seen the sender before .</tokentext>
<sentencetext>And that would solve what problem, exactly?
People open email attachments named Britney\_Spears\_Naked.exe all the time even if they've never seen the sender before.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177830</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31197856</id>
	<title>Re:One Should Always Trust</title>
	<author>Anonymous</author>
	<datestamp>1266585060000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Stalin said it before Reagan. "Doverjaj, no proverjaj." It even rhymes in Russian.</p></htmltext>
<tokenext>Stalin said it before Reagan .
" Doverjaj , no proverjaj .
" It even rhymes in Russian .</tokentext>
<sentencetext>Stalin said it before Reagan.
"Doverjaj, no proverjaj.
" It even rhymes in Russian.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31178414</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177074</id>
	<title>Re:Well in that case</title>
	<author>Anonymous</author>
	<datestamp>1265023020000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>3</modscore>
	<htmltext><p>Unless your nation has a track record of spying on its citizens web traffic, then you have a much more unfounded claim.</p><p>This should be default off, with an option to enable it. I certainly do not want to visit a site that has a trusted certificate whose root authority resides in China.</p></htmltext>
<tokenext>Unless your nation has a track record of spying on its citizens web traffic , then you have a much more unfounded claim.This should be default off , with an option to enable it .
I certainly do not want to visit a site that has a trusted certificate whose root authority resides in China .</tokentext>
<sentencetext>Unless your nation has a track record of spying on its citizens web traffic, then you have a much more unfounded claim.This should be default off, with an option to enable it.
I certainly do not want to visit a site that has a trusted certificate whose root authority resides in China.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31176906</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31178376</id>
	<title>Re:Why not change of certifcation notification?</title>
	<author>F.Ultra</author>
	<datestamp>1265028900000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>It doesn't have to, all it does is to warn me the user if the cert has changed regardless of wheter it is due to key rotation or attack, then I can decide for myself.

As it is know the system is wide open for a rouge CA and the attack would be completely invisible.</htmltext>
<tokenext>It does n't have to , all it does is to warn me the user if the cert has changed regardless of wheter it is due to key rotation or attack , then I can decide for myself .
As it is know the system is wide open for a rouge CA and the attack would be completely invisible .</tokentext>
<sentencetext>It doesn't have to, all it does is to warn me the user if the cert has changed regardless of wheter it is due to key rotation or attack, then I can decide for myself.
As it is know the system is wide open for a rouge CA and the attack would be completely invisible.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177586</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177830</id>
	<title>No CA should be trusted by default</title>
	<author>DragonWriter</author>
	<datestamp>1265025900000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>1</modscore>
	<htmltext><p>To me, its simple. Trust is something that should be granted by the user. A browser distribution may well include certificates for various CA's as a convenience, but generally shouldn't include <i>any</i> of them as trusted by default. There should be an option for the user to designate bundled CA certs (or ones obtained elsewhere) as trusted, and installers could even include option to enable them in the install procedure.</p></htmltext>
<tokenext>To me , its simple .
Trust is something that should be granted by the user .
A browser distribution may well include certificates for various CA 's as a convenience , but generally should n't include any of them as trusted by default .
There should be an option for the user to designate bundled CA certs ( or ones obtained elsewhere ) as trusted , and installers could even include option to enable them in the install procedure .</tokentext>
<sentencetext>To me, its simple.
Trust is something that should be granted by the user.
A browser distribution may well include certificates for various CA's as a convenience, but generally shouldn't include any of them as trusted by default.
There should be an option for the user to designate bundled CA certs (or ones obtained elsewhere) as trusted, and installers could even include option to enable them in the install procedure.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177212</id>
	<title>Privacy loss should be opt-out, but never is</title>
	<author>noidentity</author>
	<datestamp>1265023680000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>The loss of one's privacy should always be opt-out, but anyone concerned with privacy should always assume that it's currently being violated and thus take steps to actively protect it. Thus, anyone in China who wants privacy is going to have to do things like ensure that the Chinese CA is disabled in their browser (and actually verify that by accessing a side signed with it).</htmltext>
<tokenext>The loss of one 's privacy should always be opt-out , but anyone concerned with privacy should always assume that it 's currently being violated and thus take steps to actively protect it .
Thus , anyone in China who wants privacy is going to have to do things like ensure that the Chinese CA is disabled in their browser ( and actually verify that by accessing a side signed with it ) .</tokentext>
<sentencetext>The loss of one's privacy should always be opt-out, but anyone concerned with privacy should always assume that it's currently being violated and thus take steps to actively protect it.
Thus, anyone in China who wants privacy is going to have to do things like ensure that the Chinese CA is disabled in their browser (and actually verify that by accessing a side signed with it).</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177626</id>
	<title>Re:China</title>
	<author>darthaya</author>
	<datestamp>1265025120000</datestamp>
	<modclass>Flamebait</modclass>
	<modscore>0</modscore>
	<htmltext><p>The most popular browser in China is IE6. You know why? Because it runs on pirated XP best.</p></htmltext>
<tokenext>The most popular browser in China is IE6 .
You know why ?
Because it runs on pirated XP best .</tokentext>
<sentencetext>The most popular browser in China is IE6.
You know why?
Because it runs on pirated XP best.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177298</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177180</id>
	<title>Doubt</title>
	<author>Anonymous</author>
	<datestamp>1265023500000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>So there is some doubt over if this is a good idea.</p><p>Surely that means it's a bad idea.</p></htmltext>
<tokenext>So there is some doubt over if this is a good idea.Surely that means it 's a bad idea .</tokentext>
<sentencetext>So there is some doubt over if this is a good idea.Surely that means it's a bad idea.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31181590</id>
	<title>Re:The whole CA concept is horribly broken</title>
	<author>inKubus</author>
	<datestamp>1266486180000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>What about a multi-CA solution where you need two positives on each cert?</p></htmltext>
<tokenext>What about a multi-CA solution where you need two positives on each cert ?</tokentext>
<sentencetext>What about a multi-CA solution where you need two positives on each cert?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177496</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31183454</id>
	<title>Re:China</title>
	<author>plasticsquirrel</author>
	<datestamp>1266504180000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext>Why do we hate them, now? Because they may have broken into Gmail? Because we don't like the government system they have for themselves, on the other side of the world? Because the people don't view their government as their enemy? Because they don't share the same ideas about human rights that we do? Is that really a good reason to hate another country? It seems like Slashdot has so much venom and hatred for China just in recent months. I wonder how many Slashdotters have actually visited China?<br> <br>As I see it, judging China by Tiananmen Square and the Google hacks is like judging the U.S. by Vietnam and the Patriot Act.</htmltext>
<tokenext>Why do we hate them , now ?
Because they may have broken into Gmail ?
Because we do n't like the government system they have for themselves , on the other side of the world ?
Because the people do n't view their government as their enemy ?
Because they do n't share the same ideas about human rights that we do ?
Is that really a good reason to hate another country ?
It seems like Slashdot has so much venom and hatred for China just in recent months .
I wonder how many Slashdotters have actually visited China ?
As I see it , judging China by Tiananmen Square and the Google hacks is like judging the U.S. by Vietnam and the Patriot Act .</tokentext>
<sentencetext>Why do we hate them, now?
Because they may have broken into Gmail?
Because we don't like the government system they have for themselves, on the other side of the world?
Because the people don't view their government as their enemy?
Because they don't share the same ideas about human rights that we do?
Is that really a good reason to hate another country?
It seems like Slashdot has so much venom and hatred for China just in recent months.
I wonder how many Slashdotters have actually visited China?
As I see it, judging China by Tiananmen Square and the Google hacks is like judging the U.S. by Vietnam and the Patriot Act.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177298</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31180130</id>
	<title>SSL needs to be tied to domain hierarchy.</title>
	<author>jroysdon</author>
	<datestamp>1265043540000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>SSL CA authority needs to be tied to domain hierarchy.</p><p>This sort of domain-based-CA's should be able to be installed via DNS and <a href="http://jason.roysdon.net/?s=dnssec" title="roysdon.net">DNSSEC</a> [roysdon.net] should be continue to be rolled out, all the way to the client (browsers should have methods to verify root DNSSEC, and follow the chain).</p><p>With SSL based on domain hierarchy, you need to know only the root DNS server's DNSSEC key.  Everything else flows down from that.</p><p>Then CNNIC would only control<nobr> <wbr></nobr>.CN.  The US Gov would theoretically only control<nobr> <wbr></nobr>.US,<nobr> <wbr></nobr>.GOV,<nobr> <wbr></nobr>.EDU.<nobr> <wbr></nobr>.COM,<nobr> <wbr></nobr>.NET,<nobr> <wbr></nobr>.ORG should be run by (as much as I hate to say it) the UN.</p><p>I already put <a href="http://jason.roysdon.net/2009/10/14/ssh-public-keys-fingerprints-via-dnssec/" title="roysdon.net">SSH key fingerprints</a> [roysdon.net] in my DNS and verify with DNSSEC-enabled openssh/bind-resolvers.  SSL and/or SSL fingerprints could easily be done, if not just the entire CA public key.</p></htmltext>
<tokenext>SSL CA authority needs to be tied to domain hierarchy.This sort of domain-based-CA 's should be able to be installed via DNS and DNSSEC [ roysdon.net ] should be continue to be rolled out , all the way to the client ( browsers should have methods to verify root DNSSEC , and follow the chain ) .With SSL based on domain hierarchy , you need to know only the root DNS server 's DNSSEC key .
Everything else flows down from that.Then CNNIC would only control .CN .
The US Gov would theoretically only control .US , .GOV , .EDU .
.COM , .NET , .ORG should be run by ( as much as I hate to say it ) the UN.I already put SSH key fingerprints [ roysdon.net ] in my DNS and verify with DNSSEC-enabled openssh/bind-resolvers .
SSL and/or SSL fingerprints could easily be done , if not just the entire CA public key .</tokentext>
<sentencetext>SSL CA authority needs to be tied to domain hierarchy.This sort of domain-based-CA's should be able to be installed via DNS and DNSSEC [roysdon.net] should be continue to be rolled out, all the way to the client (browsers should have methods to verify root DNSSEC, and follow the chain).With SSL based on domain hierarchy, you need to know only the root DNS server's DNSSEC key.
Everything else flows down from that.Then CNNIC would only control .CN.
The US Gov would theoretically only control .US, .GOV, .EDU.
.COM, .NET, .ORG should be run by (as much as I hate to say it) the UN.I already put SSH key fingerprints [roysdon.net] in my DNS and verify with DNSSEC-enabled openssh/bind-resolvers.
SSL and/or SSL fingerprints could easily be done, if not just the entire CA public key.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177288</id>
	<title>Re:On the other hand...</title>
	<author>Penguinshit</author>
	<datestamp>1265023980000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>AIUI, the Chinese openly admit to interfering with their citizens' Internet access.</htmltext>
<tokenext>AIUI , the Chinese openly admit to interfering with their citizens ' Internet access .</tokentext>
<sentencetext>AIUI, the Chinese openly admit to interfering with their citizens' Internet access.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177052</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177496</id>
	<title>The whole CA concept is horribly broken</title>
	<author>Omnifarious</author>
	<datestamp>1265024700000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p>There is no good definition of exactly what you're trusting them with, no good independent verification that their trustworthiness is deserved, and as far as I know, no legal recourse if it isn't.</p><p>I consider the whole CA system to be fundamentally broken.  But a new system would be so significantly different in both character and detail that I don't know how it could ever happen.  UIs would have to be redesigned.  Crypto geeks would have to start thinking about usability.  I think the world would have to end first.</p><p>But I consider this to be one of the reasons the concept is broken.</p><p>In my opinion, as a half-baked measure that moves a little in the right direction, browsers would do better to just download the certificate from the website, and then warn you if the certificate ever changed when you went back to a website that claimed the same identity.  Then you'd have to trust a CA at most once.</p></htmltext>
<tokenext>There is no good definition of exactly what you 're trusting them with , no good independent verification that their trustworthiness is deserved , and as far as I know , no legal recourse if it is n't.I consider the whole CA system to be fundamentally broken .
But a new system would be so significantly different in both character and detail that I do n't know how it could ever happen .
UIs would have to be redesigned .
Crypto geeks would have to start thinking about usability .
I think the world would have to end first.But I consider this to be one of the reasons the concept is broken.In my opinion , as a half-baked measure that moves a little in the right direction , browsers would do better to just download the certificate from the website , and then warn you if the certificate ever changed when you went back to a website that claimed the same identity .
Then you 'd have to trust a CA at most once .</tokentext>
<sentencetext>There is no good definition of exactly what you're trusting them with, no good independent verification that their trustworthiness is deserved, and as far as I know, no legal recourse if it isn't.I consider the whole CA system to be fundamentally broken.
But a new system would be so significantly different in both character and detail that I don't know how it could ever happen.
UIs would have to be redesigned.
Crypto geeks would have to start thinking about usability.
I think the world would have to end first.But I consider this to be one of the reasons the concept is broken.In my opinion, as a half-baked measure that moves a little in the right direction, browsers would do better to just download the certificate from the website, and then warn you if the certificate ever changed when you went back to a website that claimed the same identity.
Then you'd have to trust a CA at most once.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31178298</id>
	<title>I lost faith when they kept the RapidSSL cert.</title>
	<author>DamnStupidElf</author>
	<datestamp>1265028480000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>After the security researchers were able to get a rogue CA issued by RapidSSL by exploiting an MD5 collision and the predictable sequence number generation, I wish at least some of the major browsers would have revoked that compromised root CA.  Despite the fact that any attacker could have gotten their own intermediate CA undetected before the exploit was published, no one bothered to remove their implicit trust of the root CA.</htmltext>
<tokenext>After the security researchers were able to get a rogue CA issued by RapidSSL by exploiting an MD5 collision and the predictable sequence number generation , I wish at least some of the major browsers would have revoked that compromised root CA .
Despite the fact that any attacker could have gotten their own intermediate CA undetected before the exploit was published , no one bothered to remove their implicit trust of the root CA .</tokentext>
<sentencetext>After the security researchers were able to get a rogue CA issued by RapidSSL by exploiting an MD5 collision and the predictable sequence number generation, I wish at least some of the major browsers would have revoked that compromised root CA.
Despite the fact that any attacker could have gotten their own intermediate CA undetected before the exploit was published, no one bothered to remove their implicit trust of the root CA.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31178414</id>
	<title>One Should Always Trust</title>
	<author>LifesABeach</author>
	<datestamp>1265029080000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext>"Trust, but verify." - President Reagan</htmltext>
<tokenext>" Trust , but verify .
" - President Reagan</tokentext>
<sentencetext>"Trust, but verify.
" - President Reagan</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31183096</id>
	<title>Re:The whole CA concept is horribly broken</title>
	<author>Anonymous</author>
	<datestamp>1266502200000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>The problem with prompting you on change is that certificates get renewed fairly frequently.  Where I work they won't let us buy more than a year at a time (dumb, but that's the way it is).  It also beneficial to have fairly short lived certificates just in case they are compromised.  Sure there are revocation lists, but shorts expiration dates will help keep those lists shorter.</p></htmltext>
<tokenext>The problem with prompting you on change is that certificates get renewed fairly frequently .
Where I work they wo n't let us buy more than a year at a time ( dumb , but that 's the way it is ) .
It also beneficial to have fairly short lived certificates just in case they are compromised .
Sure there are revocation lists , but shorts expiration dates will help keep those lists shorter .</tokentext>
<sentencetext>The problem with prompting you on change is that certificates get renewed fairly frequently.
Where I work they won't let us buy more than a year at a time (dumb, but that's the way it is).
It also beneficial to have fairly short lived certificates just in case they are compromised.
Sure there are revocation lists, but shorts expiration dates will help keep those lists shorter.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177496</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31180312</id>
	<title>Re:On the other hand...</title>
	<author>wvmarle</author>
	<datestamp>1265045400000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>Even worse for the CA (and that is imho the main reason we can trust a CA, Chinese or American or where-ever it is from) is that if this trust is breached it is breached forever. There is a lot to lose by losing that trust, and little to gain (in the long term).</p></htmltext>
<tokenext>Even worse for the CA ( and that is imho the main reason we can trust a CA , Chinese or American or where-ever it is from ) is that if this trust is breached it is breached forever .
There is a lot to lose by losing that trust , and little to gain ( in the long term ) .</tokentext>
<sentencetext>Even worse for the CA (and that is imho the main reason we can trust a CA, Chinese or American or where-ever it is from) is that if this trust is breached it is breached forever.
There is a lot to lose by losing that trust, and little to gain (in the long term).</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177052</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177692</id>
	<title>Re:Well in that case</title>
	<author>msauve</author>
	<datestamp>1265025360000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Unless your nation has a track record of spying on its citizens web traffic</p></div><p>Who did you have in mind that doesn't fit that description? I'm having a hard time thinking of anyone.<br> <br>The original point was valid. Perhaps it's time to change the cert infrastructure so that two geographically and politically disparate authorities must sign them.<br> <br>Or, maybe get rid of "authorities" altogether, and move to a global "web of trust," a la GPG. Forget that, I don't think I want to trust a cert just because it's accepted by 1,400,000,000 Chinese.</p></div>
	</htmltext>
<tokenext>Unless your nation has a track record of spying on its citizens web trafficWho did you have in mind that does n't fit that description ?
I 'm having a hard time thinking of anyone .
The original point was valid .
Perhaps it 's time to change the cert infrastructure so that two geographically and politically disparate authorities must sign them .
Or , maybe get rid of " authorities " altogether , and move to a global " web of trust , " a la GPG .
Forget that , I do n't think I want to trust a cert just because it 's accepted by 1,400,000,000 Chinese .</tokentext>
<sentencetext>Unless your nation has a track record of spying on its citizens web trafficWho did you have in mind that doesn't fit that description?
I'm having a hard time thinking of anyone.
The original point was valid.
Perhaps it's time to change the cert infrastructure so that two geographically and politically disparate authorities must sign them.
Or, maybe get rid of "authorities" altogether, and move to a global "web of trust," a la GPG.
Forget that, I don't think I want to trust a cert just because it's accepted by 1,400,000,000 Chinese.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177074</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31180326</id>
	<title>Re:China</title>
	<author>wvmarle</author>
	<datestamp>1265045580000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>How much of the hardware you used to type that comment is made in China? I bet most is. Have you ever considered whether you can trust that to do what you think it does, and only what you think it does?</p></htmltext>
<tokenext>How much of the hardware you used to type that comment is made in China ?
I bet most is .
Have you ever considered whether you can trust that to do what you think it does , and only what you think it does ?</tokentext>
<sentencetext>How much of the hardware you used to type that comment is made in China?
I bet most is.
Have you ever considered whether you can trust that to do what you think it does, and only what you think it does?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177298</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31178830</id>
	<title>Re:The whole CA concept is horribly broken</title>
	<author>DragonWriter</author>
	<datestamp>1265032140000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><blockquote><div><p>In my opinion, as a half-baked measure that moves a little in the right direction, browsers would do better to just download the certificate from the website, and then warn you if the certificate ever changed when you went back to a website that claimed the same identity.</p></div></blockquote><p>Aren't certificates normally not-permanent? So wouldn't this usually occur? I suppose you could just do it within the life of the original cert...</p><p>OTOH, if you are willing to assume that your initial connection is secure and that you trust the person on the other end, one way of providing additional security after that is to provide a secret over the connection that your browser retains. Then, on subsequent connections with the same site, the site proves that it has the secret, and your browser complains if it fails to do so.</p><p>(IIRC, Yahoo! and some other sites actually does a non-automated version of this where after establishing a secure connection, you provide a visual secret that can be echoed back to you on secured sites to demonstrated that its not an imposter. This doesn't require any changes to the technical infrastructure or browser, but does require you to look for the visual secret.)</p></div>
	</htmltext>
<tokenext>In my opinion , as a half-baked measure that moves a little in the right direction , browsers would do better to just download the certificate from the website , and then warn you if the certificate ever changed when you went back to a website that claimed the same identity.Are n't certificates normally not-permanent ?
So would n't this usually occur ?
I suppose you could just do it within the life of the original cert...OTOH , if you are willing to assume that your initial connection is secure and that you trust the person on the other end , one way of providing additional security after that is to provide a secret over the connection that your browser retains .
Then , on subsequent connections with the same site , the site proves that it has the secret , and your browser complains if it fails to do so .
( IIRC , Yahoo !
and some other sites actually does a non-automated version of this where after establishing a secure connection , you provide a visual secret that can be echoed back to you on secured sites to demonstrated that its not an imposter .
This does n't require any changes to the technical infrastructure or browser , but does require you to look for the visual secret .
)</tokentext>
<sentencetext>In my opinion, as a half-baked measure that moves a little in the right direction, browsers would do better to just download the certificate from the website, and then warn you if the certificate ever changed when you went back to a website that claimed the same identity.Aren't certificates normally not-permanent?
So wouldn't this usually occur?
I suppose you could just do it within the life of the original cert...OTOH, if you are willing to assume that your initial connection is secure and that you trust the person on the other end, one way of providing additional security after that is to provide a secret over the connection that your browser retains.
Then, on subsequent connections with the same site, the site proves that it has the secret, and your browser complains if it fails to do so.
(IIRC, Yahoo!
and some other sites actually does a non-automated version of this where after establishing a secure connection, you provide a visual secret that can be echoed back to you on secured sites to demonstrated that its not an imposter.
This doesn't require any changes to the technical infrastructure or browser, but does require you to look for the visual secret.
)
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177496</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31180170</id>
	<title>No trust.</title>
	<author>Anonymous</author>
	<datestamp>1265043960000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext>Why should they ever consider trusting a shameless organization which distrubutes <a href="http://en.wikipedia.org/wiki/China\_Internet\_Network\_Information\_Center#Malware\_Production\_And\_Distribution" title="wikipedia.org" rel="nofollow">malware</a> [wikipedia.org] (something really disgusting, took me half an hour to remove with tools like HijackThis) to unsuspecting netizens of China, and steals/deletes<nobr> <wbr></nobr>.cn domain names at will? And, yes, it's just a puppet of the government.<br> <br>Are they mad? Forgot to do some research first?</htmltext>
<tokenext>Why should they ever consider trusting a shameless organization which distrubutes malware [ wikipedia.org ] ( something really disgusting , took me half an hour to remove with tools like HijackThis ) to unsuspecting netizens of China , and steals/deletes .cn domain names at will ?
And , yes , it 's just a puppet of the government .
Are they mad ?
Forgot to do some research first ?</tokentext>
<sentencetext>Why should they ever consider trusting a shameless organization which distrubutes malware [wikipedia.org] (something really disgusting, took me half an hour to remove with tools like HijackThis) to unsuspecting netizens of China, and steals/deletes .cn domain names at will?
And, yes, it's just a puppet of the government.
Are they mad?
Forgot to do some research first?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31182394</id>
	<title>SSL is broken</title>
	<author>muckracer</author>
	<datestamp>1266495180000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>The issue isn't which government or entity is involved. The real issue is, that SSL relies on a trust model, that flies in the face of anything human beings do in real life to trust someone. Putting blind faith in organizations you have no idea of is, well, a bad idea. Certainly it has nothing to do with trust. If the worry is, that the chinese gov will use it to stage MITM's then it applies euqally to all other gov's. If something can be abused, it will be abused in the name of 'protecting' from [insert favorite horsemen of the day here]. These people will never stop to amass even more snooping power, no matter the location. It's a mindset.<br>So that leaves us with SSL: great encryption (for the time being) - lousy trust/authentication model = lousy overall architecture. All other points of hawking about the chinese or whomever are completely irrelevant.</p></htmltext>
<tokenext>The issue is n't which government or entity is involved .
The real issue is , that SSL relies on a trust model , that flies in the face of anything human beings do in real life to trust someone .
Putting blind faith in organizations you have no idea of is , well , a bad idea .
Certainly it has nothing to do with trust .
If the worry is , that the chinese gov will use it to stage MITM 's then it applies euqally to all other gov 's .
If something can be abused , it will be abused in the name of 'protecting ' from [ insert favorite horsemen of the day here ] .
These people will never stop to amass even more snooping power , no matter the location .
It 's a mindset.So that leaves us with SSL : great encryption ( for the time being ) - lousy trust/authentication model = lousy overall architecture .
All other points of hawking about the chinese or whomever are completely irrelevant .</tokentext>
<sentencetext>The issue isn't which government or entity is involved.
The real issue is, that SSL relies on a trust model, that flies in the face of anything human beings do in real life to trust someone.
Putting blind faith in organizations you have no idea of is, well, a bad idea.
Certainly it has nothing to do with trust.
If the worry is, that the chinese gov will use it to stage MITM's then it applies euqally to all other gov's.
If something can be abused, it will be abused in the name of 'protecting' from [insert favorite horsemen of the day here].
These people will never stop to amass even more snooping power, no matter the location.
It's a mindset.So that leaves us with SSL: great encryption (for the time being) - lousy trust/authentication model = lousy overall architecture.
All other points of hawking about the chinese or whomever are completely irrelevant.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31188384</id>
	<title>It's always entertaining</title>
	<author>justkeeper</author>
	<datestamp>1266523500000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>To see a bunch of Americans arguing about Chinese issues(threats, human rights) based on their ridiculous perceptions, twice more entertaining when it's a bunch of Slashdot geeks doing this. I'm always amazed to find out despite someone calling the two countries G2, how little poeple from both countries know each other.</htmltext>
<tokenext>To see a bunch of Americans arguing about Chinese issues ( threats , human rights ) based on their ridiculous perceptions , twice more entertaining when it 's a bunch of Slashdot geeks doing this .
I 'm always amazed to find out despite someone calling the two countries G2 , how little poeple from both countries know each other .</tokentext>
<sentencetext>To see a bunch of Americans arguing about Chinese issues(threats, human rights) based on their ridiculous perceptions, twice more entertaining when it's a bunch of Slashdot geeks doing this.
I'm always amazed to find out despite someone calling the two countries G2, how little poeple from both countries know each other.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31181258</id>
	<title>Re:No trust.</title>
	<author>matushorvath</author>
	<datestamp>1266526380000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>They are not mad, they just don't have a process for dealing with entities that lie in their application and have immense resources to make those lies appear as truth.</p><p>As a related rant, this is an universal problem in US and other western countries. You have never seen a really evil government in your lives, and you can't begin to imagine what it looks like. You think Obama/Bush/whoever is evil, when they are just misguided, dishonest or stupid. A really evil government does not bother about trying to answer, they just send the troops to make questions go away.</p></htmltext>
<tokenext>They are not mad , they just do n't have a process for dealing with entities that lie in their application and have immense resources to make those lies appear as truth.As a related rant , this is an universal problem in US and other western countries .
You have never seen a really evil government in your lives , and you ca n't begin to imagine what it looks like .
You think Obama/Bush/whoever is evil , when they are just misguided , dishonest or stupid .
A really evil government does not bother about trying to answer , they just send the troops to make questions go away .</tokentext>
<sentencetext>They are not mad, they just don't have a process for dealing with entities that lie in their application and have immense resources to make those lies appear as truth.As a related rant, this is an universal problem in US and other western countries.
You have never seen a really evil government in your lives, and you can't begin to imagine what it looks like.
You think Obama/Bush/whoever is evil, when they are just misguided, dishonest or stupid.
A really evil government does not bother about trying to answer, they just send the troops to make questions go away.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31180170</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31176906</id>
	<title>Well in that case</title>
	<author>Anonymous</author>
	<datestamp>1265022300000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>Maybe I shouldn't trust the North American Certificates either, since I don't want my government spying on me either.</p><p>As long as the Chinese CA only deals with China, I have no problems with it. Any of the certifying agencies could be puppets for anyone.</p></htmltext>
<tokenext>Maybe I should n't trust the North American Certificates either , since I do n't want my government spying on me either.As long as the Chinese CA only deals with China , I have no problems with it .
Any of the certifying agencies could be puppets for anyone .</tokentext>
<sentencetext>Maybe I shouldn't trust the North American Certificates either, since I don't want my government spying on me either.As long as the Chinese CA only deals with China, I have no problems with it.
Any of the certifying agencies could be puppets for anyone.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31178264</id>
	<title>One word: lynx.</title>
	<author>Anonymous</author>
	<datestamp>1265028240000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>The only way to be completely safe is to surf the web in plain text.  Never had a virus yet.  Of course, buying stuff on Amazon.com is kinda tricky...</p></htmltext>
<tokenext>The only way to be completely safe is to surf the web in plain text .
Never had a virus yet .
Of course , buying stuff on Amazon.com is kinda tricky.. .</tokentext>
<sentencetext>The only way to be completely safe is to surf the web in plain text.
Never had a virus yet.
Of course, buying stuff on Amazon.com is kinda tricky...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177644</id>
	<title>Forgive me for belaboring the obvious...</title>
	<author>Angst Badger</author>
	<datestamp>1265025180000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>...but maybe the takeaway lesson from this whole affair is that it is impossible to remain ethical while knowingly doing business with an entity you know to be deeply corrupt. Sooner or later, you will find yourself faced with situations in which you directly or indirectly become party to unethical acts.</p><p>This is hardly limited to Google. We all help pay the salaries of the oppressive Chinese regime from the politburo on down to the prison camp guards every time we buy Chinese goods.</p></htmltext>
<tokenext>...but maybe the takeaway lesson from this whole affair is that it is impossible to remain ethical while knowingly doing business with an entity you know to be deeply corrupt .
Sooner or later , you will find yourself faced with situations in which you directly or indirectly become party to unethical acts.This is hardly limited to Google .
We all help pay the salaries of the oppressive Chinese regime from the politburo on down to the prison camp guards every time we buy Chinese goods .</tokentext>
<sentencetext>...but maybe the takeaway lesson from this whole affair is that it is impossible to remain ethical while knowingly doing business with an entity you know to be deeply corrupt.
Sooner or later, you will find yourself faced with situations in which you directly or indirectly become party to unethical acts.This is hardly limited to Google.
We all help pay the salaries of the oppressive Chinese regime from the politburo on down to the prison camp guards every time we buy Chinese goods.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177298</id>
	<title>China</title>
	<author>Anonymous</author>
	<datestamp>1265023980000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext>China has been getting a lot of flak recently, and from how I understand it deservedly.<br>
If they have done some stuff that is damning enough for companies like Google and Firefox to risk alienating such a huge market, then how can you trust anything that comes from them?</htmltext>
<tokenext>China has been getting a lot of flak recently , and from how I understand it deservedly .
If they have done some stuff that is damning enough for companies like Google and Firefox to risk alienating such a huge market , then how can you trust anything that comes from them ?</tokentext>
<sentencetext>China has been getting a lot of flak recently, and from how I understand it deservedly.
If they have done some stuff that is damning enough for companies like Google and Firefox to risk alienating such a huge market, then how can you trust anything that comes from them?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31181152</id>
	<title>Re:The whole CA concept is horribly broken</title>
	<author>mentil</author>
	<datestamp>1266525300000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Part of the problem is that the metaphors of padlocks, "secure" and "verified" don't mean what they suggest to users. What's actually involved are encryption and certificates. These concepts would need to be explained to users somehow (ideally through actions instead of words) in order for them to be effective and not just provide a false sense of security. If that means playing a minigame that involves (something like) navigating a maze to find a key to open the front door to let a stranger into your house, so be it. Or a brief multiple-choice quiz. "If you cheat, you're only cheating yourself" indeed.</p><p>Perhaps less invasively, levels of security could be conveyed, with 'just encryption' being represented with a graphic showing that it prevents MITM attacks, and verification that shows that the site is who it says it is.<br>But of course that gets to the core of the certificate issue: the user is trusting the CA to verify sites, and if a CA ever issues a certificate without correctly doing the verification, they effectively become untrustworthy. Either a perfect CA has to be created/found, or the concept has to be scrapped. I can't think of a replacement that doesn't boil down to a whitelist version of an anti-phishing database.</p></htmltext>
<tokenext>Part of the problem is that the metaphors of padlocks , " secure " and " verified " do n't mean what they suggest to users .
What 's actually involved are encryption and certificates .
These concepts would need to be explained to users somehow ( ideally through actions instead of words ) in order for them to be effective and not just provide a false sense of security .
If that means playing a minigame that involves ( something like ) navigating a maze to find a key to open the front door to let a stranger into your house , so be it .
Or a brief multiple-choice quiz .
" If you cheat , you 're only cheating yourself " indeed.Perhaps less invasively , levels of security could be conveyed , with 'just encryption ' being represented with a graphic showing that it prevents MITM attacks , and verification that shows that the site is who it says it is.But of course that gets to the core of the certificate issue : the user is trusting the CA to verify sites , and if a CA ever issues a certificate without correctly doing the verification , they effectively become untrustworthy .
Either a perfect CA has to be created/found , or the concept has to be scrapped .
I ca n't think of a replacement that does n't boil down to a whitelist version of an anti-phishing database .</tokentext>
<sentencetext>Part of the problem is that the metaphors of padlocks, "secure" and "verified" don't mean what they suggest to users.
What's actually involved are encryption and certificates.
These concepts would need to be explained to users somehow (ideally through actions instead of words) in order for them to be effective and not just provide a false sense of security.
If that means playing a minigame that involves (something like) navigating a maze to find a key to open the front door to let a stranger into your house, so be it.
Or a brief multiple-choice quiz.
"If you cheat, you're only cheating yourself" indeed.Perhaps less invasively, levels of security could be conveyed, with 'just encryption' being represented with a graphic showing that it prevents MITM attacks, and verification that shows that the site is who it says it is.But of course that gets to the core of the certificate issue: the user is trusting the CA to verify sites, and if a CA ever issues a certificate without correctly doing the verification, they effectively become untrustworthy.
Either a perfect CA has to be created/found, or the concept has to be scrapped.
I can't think of a replacement that doesn't boil down to a whitelist version of an anti-phishing database.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177496</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177086</id>
	<title>Yeah that is a problem</title>
	<author>Anonymous</author>
	<datestamp>1265023020000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Now if only there was a way for anybody to start a certificate authority and to issue certificates, and for the users to decide for themselves which certificate authorities they trust.</p></htmltext>
<tokenext>Now if only there was a way for anybody to start a certificate authority and to issue certificates , and for the users to decide for themselves which certificate authorities they trust .</tokentext>
<sentencetext>Now if only there was a way for anybody to start a certificate authority and to issue certificates, and for the users to decide for themselves which certificate authorities they trust.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31248332</id>
	<title>How could this work?</title>
	<author>JustinLong</author>
	<datestamp>1266955920000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I don't see how this would work. It makes the argument that if a CA were under the authority of a government (e.g. China) then it could redirect you to a fake Gmail site but you would think it was actually Gmail. Wouldn't this also require the DNS to be controlled by a government? And even if they did redirect you to a fake site... you'd know it was a fake site because your email wouldn't be there, because you weren't accessing Gmail but a different server. The most they could get you to do (possibly) is divulge your password, right?</htmltext>
<tokenext>I do n't see how this would work .
It makes the argument that if a CA were under the authority of a government ( e.g .
China ) then it could redirect you to a fake Gmail site but you would think it was actually Gmail .
Would n't this also require the DNS to be controlled by a government ?
And even if they did redirect you to a fake site... you 'd know it was a fake site because your email would n't be there , because you were n't accessing Gmail but a different server .
The most they could get you to do ( possibly ) is divulge your password , right ?</tokentext>
<sentencetext>I don't see how this would work.
It makes the argument that if a CA were under the authority of a government (e.g.
China) then it could redirect you to a fake Gmail site but you would think it was actually Gmail.
Wouldn't this also require the DNS to be controlled by a government?
And even if they did redirect you to a fake site... you'd know it was a fake site because your email wouldn't be there, because you weren't accessing Gmail but a different server.
The most they could get you to do (possibly) is divulge your password, right?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177226</id>
	<title>Re:Yeah that is a problem</title>
	<author>F.Ultra</author>
	<datestamp>1265023740000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>That didn't work to well for PGP though. Not that PGP is a fail, but the key signing bit went kind of crazy when people started to sign every key they found.</htmltext>
<tokenext>That did n't work to well for PGP though .
Not that PGP is a fail , but the key signing bit went kind of crazy when people started to sign every key they found .</tokentext>
<sentencetext>That didn't work to well for PGP though.
Not that PGP is a fail, but the key signing bit went kind of crazy when people started to sign every key they found.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177086</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31181256</id>
	<title>Pre-emptive waste</title>
	<author>scott\_karana</author>
	<datestamp>1266526320000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>While his concern is very real, if Firefox removes trust for that CA it loses market share in China.<br>And if that happens, then Firefox <i>themselves</i> have negated their own security benefits.<br>I think it's prudent to keep an eye on CNNIC for this very issue, but until suspect behavior is detected, I think that any rash moves on the part of Mozilla could be worse than what's currently seen.</p></htmltext>
<tokenext>While his concern is very real , if Firefox removes trust for that CA it loses market share in China.And if that happens , then Firefox themselves have negated their own security benefits.I think it 's prudent to keep an eye on CNNIC for this very issue , but until suspect behavior is detected , I think that any rash moves on the part of Mozilla could be worse than what 's currently seen .</tokentext>
<sentencetext>While his concern is very real, if Firefox removes trust for that CA it loses market share in China.And if that happens, then Firefox themselves have negated their own security benefits.I think it's prudent to keep an eye on CNNIC for this very issue, but until suspect behavior is detected, I think that any rash moves on the part of Mozilla could be worse than what's currently seen.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177586</id>
	<title>Re:Why not change of certifcation notification?</title>
	<author>IamTheRealMike</author>
	<datestamp>1265025000000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Key changes are a part of life though. Your proposed solution can't distinguish between key rotation and attack, which is a non starter.</htmltext>
<tokenext>Key changes are a part of life though .
Your proposed solution ca n't distinguish between key rotation and attack , which is a non starter .</tokentext>
<sentencetext>Key changes are a part of life though.
Your proposed solution can't distinguish between key rotation and attack, which is a non starter.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177184</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31180066</id>
	<title>Trust is a mistake</title>
	<author>mlwmohawk</author>
	<datestamp>1265042880000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>While I can go down the rat hole of an endless paranoia, the fact is that every time you connect to a site, there needs to be a separate path by which you can authenticate certificate for a site with peer review. Perhaps even an old fashioned phone call. Here's my organization's Md5HASH if you don't get the the same number, call for support.</p><p>The reality is that we only need a handful of trusted sites, credit card, back accounts, etc. The browser should be able to link a specific cert and authority to a specific site.</p><p>I never thought the idea of "corporations" being trusted was a good one</p></htmltext>
<tokenext>While I can go down the rat hole of an endless paranoia , the fact is that every time you connect to a site , there needs to be a separate path by which you can authenticate certificate for a site with peer review .
Perhaps even an old fashioned phone call .
Here 's my organization 's Md5HASH if you do n't get the the same number , call for support.The reality is that we only need a handful of trusted sites , credit card , back accounts , etc .
The browser should be able to link a specific cert and authority to a specific site.I never thought the idea of " corporations " being trusted was a good one</tokentext>
<sentencetext>While I can go down the rat hole of an endless paranoia, the fact is that every time you connect to a site, there needs to be a separate path by which you can authenticate certificate for a site with peer review.
Perhaps even an old fashioned phone call.
Here's my organization's Md5HASH if you don't get the the same number, call for support.The reality is that we only need a handful of trusted sites, credit card, back accounts, etc.
The browser should be able to link a specific cert and authority to a specific site.I never thought the idea of "corporations" being trusted was a good one</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177708</id>
	<title>also...</title>
	<author>Anonymous</author>
	<datestamp>1265025420000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>a reason why FF would never be accepted by the US Government as an approved browser.</p></htmltext>
<tokenext>a reason why FF would never be accepted by the US Government as an approved browser .</tokentext>
<sentencetext>a reason why FF would never be accepted by the US Government as an approved browser.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177666</id>
	<title>Re:Why not change of certifcation notification?</title>
	<author>rainer\_d</author>
	<datestamp>1265025300000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>One "simple" solution would be for the browser to remember which certificate or CA that a page uses, and put up a warning if it ever changed (within the validation period). A warning if the site all of the sudden went http would perhaps also be a good idea.</p><p>Yes, people ignore warnings, but it would at least help us in the know.</p></div><p>Well, Firefox is open source...</p></div>
	</htmltext>
<tokenext>One " simple " solution would be for the browser to remember which certificate or CA that a page uses , and put up a warning if it ever changed ( within the validation period ) .
A warning if the site all of the sudden went http would perhaps also be a good idea.Yes , people ignore warnings , but it would at least help us in the know.Well , Firefox is open source.. .</tokentext>
<sentencetext>One "simple" solution would be for the browser to remember which certificate or CA that a page uses, and put up a warning if it ever changed (within the validation period).
A warning if the site all of the sudden went http would perhaps also be a good idea.Yes, people ignore warnings, but it would at least help us in the know.Well, Firefox is open source...
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177184</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177184</id>
	<title>Why not change of certifcation notification?</title>
	<author>F.Ultra</author>
	<datestamp>1265023560000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>One "simple" solution would be for the browser to remember which certificate or CA that a page uses, and put up a warning if it ever changed (within the validation period). A warning if the site all of the sudden went http would perhaps also be a good idea.

Yes, people ignore warnings, but it would at least help us in the know.</htmltext>
<tokenext>One " simple " solution would be for the browser to remember which certificate or CA that a page uses , and put up a warning if it ever changed ( within the validation period ) .
A warning if the site all of the sudden went http would perhaps also be a good idea .
Yes , people ignore warnings , but it would at least help us in the know .</tokentext>
<sentencetext>One "simple" solution would be for the browser to remember which certificate or CA that a page uses, and put up a warning if it ever changed (within the validation period).
A warning if the site all of the sudden went http would perhaps also be a good idea.
Yes, people ignore warnings, but it would at least help us in the know.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31181148</id>
	<title>Re:One Should Always Trust</title>
	<author>Anonymous</author>
	<datestamp>1266525300000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>"That sentence seems to be at odds with itself." - Anonymous Coward</p></htmltext>
<tokenext>" That sentence seems to be at odds with itself .
" - Anonymous Coward</tokentext>
<sentencetext>"That sentence seems to be at odds with itself.
" - Anonymous Coward</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31178414</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31181526</id>
	<title>No.</title>
	<author>Anonymous</author>
	<datestamp>1266485640000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>No.</p></htmltext>
<tokenext>No .</tokentext>
<sentencetext>No.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31181216</id>
	<title>something is wrong</title>
	<author>matushorvath</author>
	<datestamp>1266525960000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>On one hand Firefox will annoy to hell if you access a site with self-signed certificate, on the other hand they make you trust the Chinese government by default. Personally I trust a self-signed certificate million times more then a certificate signed by the Chinese authority. And any other authority is only marginally better then self-signed, since they will issue a certificate to basically anyone with minimum checking.</p><p>With the self signed one at least I know they are not trying to fool me, and I know whether site certificate has changed since my last visit. With "trusted" certificate you don't gain any more certainty than that, in fact you gain less because the certificate can change without you even noticing.</p></htmltext>
<tokenext>On one hand Firefox will annoy to hell if you access a site with self-signed certificate , on the other hand they make you trust the Chinese government by default .
Personally I trust a self-signed certificate million times more then a certificate signed by the Chinese authority .
And any other authority is only marginally better then self-signed , since they will issue a certificate to basically anyone with minimum checking.With the self signed one at least I know they are not trying to fool me , and I know whether site certificate has changed since my last visit .
With " trusted " certificate you do n't gain any more certainty than that , in fact you gain less because the certificate can change without you even noticing .</tokentext>
<sentencetext>On one hand Firefox will annoy to hell if you access a site with self-signed certificate, on the other hand they make you trust the Chinese government by default.
Personally I trust a self-signed certificate million times more then a certificate signed by the Chinese authority.
And any other authority is only marginally better then self-signed, since they will issue a certificate to basically anyone with minimum checking.With the self signed one at least I know they are not trying to fool me, and I know whether site certificate has changed since my last visit.
With "trusted" certificate you don't gain any more certainty than that, in fact you gain less because the certificate can change without you even noticing.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31179184</id>
	<title>Why worry about China?</title>
	<author>Anonymous</author>
	<datestamp>1265035380000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>1</modscore>
	<htmltext><p>My personal opinion is that this goes far beyond China. I actually trust cacert certificates more than any issued by a US corporation. Yes, China is bad, but it is really naive to think that the US government should be trusted more than China.</p></htmltext>
<tokenext>My personal opinion is that this goes far beyond China .
I actually trust cacert certificates more than any issued by a US corporation .
Yes , China is bad , but it is really naive to think that the US government should be trusted more than China .</tokentext>
<sentencetext>My personal opinion is that this goes far beyond China.
I actually trust cacert certificates more than any issued by a US corporation.
Yes, China is bad, but it is really naive to think that the US government should be trusted more than China.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177248</id>
	<title>Of course gov's will spy</title>
	<author>dragisha</author>
	<datestamp>1265023800000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>And of course, it's in interest of it's citizens. Use irony at will<nobr> <wbr></nobr>:).<br>Some news are just  boring these days. This government good, that government bad.... I suppose we just need simplemindedness of Animal Farm, it's soo good.<br>Thus said, any person who trusts her privacy to Windo*s is just ridiculous when she starts worrying about governments. Who needs government with spyware stargate on his desk?</p></htmltext>
<tokenext>And of course , it 's in interest of it 's citizens .
Use irony at will : ) .Some news are just boring these days .
This government good , that government bad.... I suppose we just need simplemindedness of Animal Farm , it 's soo good.Thus said , any person who trusts her privacy to Windo * s is just ridiculous when she starts worrying about governments .
Who needs government with spyware stargate on his desk ?</tokentext>
<sentencetext>And of course, it's in interest of it's citizens.
Use irony at will :).Some news are just  boring these days.
This government good, that government bad.... I suppose we just need simplemindedness of Animal Farm, it's soo good.Thus said, any person who trusts her privacy to Windo*s is just ridiculous when she starts worrying about governments.
Who needs government with spyware stargate on his desk?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177052</id>
	<title>On the other hand...</title>
	<author>Anonymous</author>
	<datestamp>1265022960000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p>
If the Chinese CA were stupid enough to actually perform this attack, it would be easy to gain incontrovertible evidence of their spying, as the hijacked responses would all be digitally signed with their signature.
</p></htmltext>
<tokenext>If the Chinese CA were stupid enough to actually perform this attack , it would be easy to gain incontrovertible evidence of their spying , as the hijacked responses would all be digitally signed with their signature .</tokentext>
<sentencetext>
If the Chinese CA were stupid enough to actually perform this attack, it would be easy to gain incontrovertible evidence of their spying, as the hijacked responses would all be digitally signed with their signature.
</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177562</id>
	<title>Re:Yeah that is a problem</title>
	<author>IamTheRealMike</author>
	<datestamp>1265024880000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>How would that work? Even expert users can't easily know that an arbitrary CA follows a set of rules unless they are audited, and that's what the current process gives you (CNNIC passed the audits).</htmltext>
<tokenext>How would that work ?
Even expert users ca n't easily know that an arbitrary CA follows a set of rules unless they are audited , and that 's what the current process gives you ( CNNIC passed the audits ) .</tokentext>
<sentencetext>How would that work?
Even expert users can't easily know that an arbitrary CA follows a set of rules unless they are audited, and that's what the current process gives you (CNNIC passed the audits).</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177086</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31179218</id>
	<title>Reputation-based trust?</title>
	<author>davidwr</author>
	<datestamp>1265035620000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>* Color-code the "secure lock icon" by the trust level of the root authority - less-trusted signers and signers without tight controls on who they sign get yellow, more-trusted ones get green.</p><p>* Put always-visible-by-default information saying who signed the page AND who the root is.  If acme.com's signature is root-signed by Verisign, I should see "acme.com verified by Verisign" somewhere on the screen, probably in unobtrusive fine print.</p></htmltext>
<tokenext>* Color-code the " secure lock icon " by the trust level of the root authority - less-trusted signers and signers without tight controls on who they sign get yellow , more-trusted ones get green .
* Put always-visible-by-default information saying who signed the page AND who the root is .
If acme.com 's signature is root-signed by Verisign , I should see " acme.com verified by Verisign " somewhere on the screen , probably in unobtrusive fine print .</tokentext>
<sentencetext>* Color-code the "secure lock icon" by the trust level of the root authority - less-trusted signers and signers without tight controls on who they sign get yellow, more-trusted ones get green.
* Put always-visible-by-default information saying who signed the page AND who the root is.
If acme.com's signature is root-signed by Verisign, I should see "acme.com verified by Verisign" somewhere on the screen, probably in unobtrusive fine print.</sentencetext>
</comment>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_221224_0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177626
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177298
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_221224_4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31197856
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31178414
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_221224_1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177692
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177074
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31176906
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_221224_8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31178830
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177496
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_221224_2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31183096
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177496
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_221224_5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31178036
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177212
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_221224_13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31181590
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177496
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_221224_6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31181258
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31180170
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_221224_17</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31181152
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177496
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_221224_10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177288
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177052
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_221224_3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177666
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177184
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_221224_14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177972
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177052
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_221224_9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31180326
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177298
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_221224_11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177562
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177086
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_221224_15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31181990
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177830
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_221224_18</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31181962
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31178376
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177586
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177184
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_221224_12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31183454
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177298
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_221224_7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31181148
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31178414
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_221224_19</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177226
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177086
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_221224_16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31180312
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177052
</commentlist>
</thread>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_221224.5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177184
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177586
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31178376
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31181962
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177666
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_221224.8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177212
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31178036
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_221224.3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177052
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31180312
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177288
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177972
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_221224.6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177830
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31181990
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_221224.9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177298
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31183454
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31180326
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177626
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_221224.7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31178414
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31197856
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31181148
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_221224.0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31180170
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31181258
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_221224.1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177496
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31181590
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31181152
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31183096
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31178830
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_221224.11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31176906
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177074
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177692
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_221224.10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177086
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177226
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31177562
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_221224.4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31178938
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_221224.2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_221224.31180066
</commentlist>
</conversation>
