Nelson B wrote: > Jean-Marc Desperrier wrote: >> Malicious Code Signing chapter : >> "signatures can still be obtained with relative ease and anonymity. >> Code-signing keys can be obtained anonymously via the use of prepaid >> credit-cards and false details. Pre-paid credit cards can be bought and >> charged locally with cash without the requirement of presenting I.D.8 > > If you can identify a CA that sells *code signing* certs on that basis, > requiring no more than a valid credit card for issuance, and who is in > mozilla's trusted cert list, please report that CA here to us.
Any CA that accepts to deliver code signing certificate to individuals and not companies will have an extremly hard time doing a high quality identity verification. If myself I had to design a really trustable, international identity verification system for random individuals, I don't know how I could succeed. Both Thawte and Comodo apparently restrict the registration to entities who can provide a D-U-N-S number, so do not have the problem. I didn't see any alternative mechanism to enter detailed authentification info for individual, so I conclude they *do not* issue code signing cert for individuals. I didn't find a document officially stating what kind of verification GlobalSign is doing, but if I have to judge only by the following registration process, I'm really worried it might be little more than accepting any valid credit card : https://www.globalsign.net/digital_certificate/objectsign/requestcert.cfm?FieldYear=2&cur=us Next page ask me to enter a Surname/First Name/Phone number for Technical Contact, and an Admin Contact Person with email, Street & number, and Phone number in addition to the Payment Method info. So the question is will they properly identify and reject a non responding number or a cell phone number ? My check of course was very superficial and might very well have missed that GlobalSign in truth blocks the issuance until they have done many, many verifications. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
