At 10:26 PM +0300 5/27/07, Eddy Nigg (StartCom Ltd.) wrote: >I just want to add a thought or two after following this thread from >the sidelines... > >Paul Hoffman wrote: > >>> >>>I don't know if I like the idea of saying that a commercial >>>organization has more authority to identify for global commerce than >>>any individual government, though. >>> >>> >> >>Exactly. I strongly suspect that KISA would do a better job at >>checking identification of a Korean company in .com than the CAs in >>the lowest quartile of capabilities whom we fully trust to do so. >> >CAs obviously rely heavily on government issued identification >documents and registrations (of organizations).
I stopped reading here. That is completely untrue for the majority of the CAs in the Mozilla trust root pile. The majority of CAs issue certificates based on a challenge-response mechanism that verifies the existence of a domain name and/or email address, and that's all. A few CAs offer higher-assurance certificates to some of their customers, but that is the extremely tiny minority of certificates. Further, at least in the US, the "government issued identification documents" are not from the federal government (which is what this thread is about), but from state governments. This thread is about federal governments. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
