actually ... not really ... this was discussed early this summer as to what they
actually check ... and how trivial it is to fabricate necessary details to pass
such checking
random ref:
http://www.garlic.com/~lynn/aadsmore.htm#client3
in general it is sufficient to have registered any DBA name & have a d&b entry
plus some misc. other stuff ... all relatively easy to establish. Since the DBA
name & d&b entry aren't cross-checked as part of the SSL certificate validation
... just the domain name in the certificate against the domain name used ... you
could be really surprised at what comes up for DBA names.
I've had credit card statements that listed the DBA names which had absolutely
no relationship to the name of the store I had been to ... which i eventually
had to call both the credit card company/bank and the store to figure out what
was going on.
Ben Laurie <[EMAIL PROTECTED]> on 11/19/2000 04:08:39 AM
To: Lynn Wheeler/CA/FDMS/FDC@FDC
cc: Bram Cohen <[EMAIL PROTECTED]>, [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: Public Key Infrastructure: An Artifact...
[EMAIL PROTECTED] wrote:
>
> the current SSL domain name infrastructure supposedly exists because of issues
> with trusting the domain name infrastructure ... except the SSL domain name
> certificate issuer has to trust the same (untrusted) domain name
infrastructure
> when issuing a certificate (i.e. the SSL domain name certificate is no better
> than the authentication authority that the certificate authority has to rely
on
> as the final arbitrator of domain name ownership).
>
> one of the integrity issues with the domain name infrastructure ... is that
> domain names have been hijacked ... once hijacked ... you can go to
certificate
> authority and get a certificate with that domain name (and the certificate
> authority will check with the domain name system and confirm that the
requester
> owns the domain name).
The difference is that a CA _also_ binds the certificate to a legal
entity. When the fraud is discovered, the identity of the fraudster is,
too.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
