Eddy Nigg (StartCom Ltd.) wrote, On 2008-03-16 08:37: > Frank Hecker: >> To play devil's advocate here: > Yes, I love real world examples! And this is such a serious issue and > I'll try to play the devil myself...
I envision a photograph of Frank and Eddy, wearing mustaches and red capes with horns and sporting tridents. :) > [...] I view this similar to code signing > certificates where there is no other indication such as a URL in the > addressbar or an email address. Why aren't code siging certificates just > email validated? Well, actually, some have been issued that were validated by not much more. The CAB Forum is working on a set of "guidelines" for EV code signing certs. They're going beyond merely defining minimum acceptable criteria for name validation. They're suggesting changes (or perhaps minimum standards) to the ways in which EV signatures are applied to code, to mitigate the problem of software signatures being invalidated when certs expire. IMO, their proposal would greatly improve the value of code signing, not only because of improved signer name validation but also for forcing the industry to deal with long lived signatures. Sadly, I don't see many signs that that Mozilla is interested or participating in this work. I guess we're going to end up having this Referring to the issuance of certs for names like paypal-host.com or paypal.hosting.com, Eddy wrote: > [...] CAs have and should have proper measures in place to > prevent this from happening in first place. You need to define "this" very carefully. >> The key word here is "knowingly". This language in the policy was >> intended to cover cases where CAs were willing and knowing accomplices >> to fraud. And, IMO, does not cover cases where certs were used for fraud AFTER they were issued, if there was no foreknowledge of the intent for fraud. This raises the question: How can DV CAs, whose issuing processes are almost entirely automatic, have any such foreknowledge? Eddy seems to suggest (I think) that there is some basis upon which potentially fraudulent domain names can be denied certs on some basis not yet defined (AFAIK). I think that, in the absence of some well defined and widely agreed set of criteria, all DV issuers always have an out, namely, "We had no knowledge that there was any fraudulent intent." > Issuing certificates which claim to be validated without such vetting > ever having performed is tantamount to KNOWINGLY and WILLINGLY > contribute to a possible fraud. I claim that issuing wild card > certificates without proper vetting as described above equals the same. I don't accept that until after there is some well defined standard by which CAs can properly judge that for themselves. Until then, CA decisions to refuse to issue certs for certain domain names are going to be arbitrary, and not well correlated to fraudulent intent, IMO. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
