Frank Hecker: > Eddy Nigg (StartCom Ltd.) wrote: > >> Issuing certificates which claim to be validated without such vetting >> ever having performed is tantamount to KNOWINGLY and WILLINGLY >> contribute to a possible fraud. I claim that issuing wild card >> certificates without proper vetting as described above equals the same. >> > > I don't have much to add to Nelson's comments, so I'm just going to > summarize my opinion on the issue of wildcard certs and domain > validation: Your points about the potential for fraud are well-taken, as > is your point about having an identified entity to pursue in the event > of fraud. OK > However as I see it these points apply equally as well to > vanilla DV certs (i.e., for a single domain name) as they do to wildcard > DV certs. > Not really. Let me try this again with an example (wearing my obligatory costume as envisioned by Nelson ;-) ).
Subscriber requests a certificate for paypal.domain.com. Would such a SSL secured site for this specific domain foul many visitors? [yes] Does this domain name present a potential risk? [yes] Does the CA know upfront about its potential (mis)use? [yes] Can the CA intervene in the process before issuing a certificate for this domain? [yes] Can the CA visit the corresponding site and verify its content? [yes] Can the CA revoke the certificate immediately? [yes] However now the subscriber requests a certificate for *.domain.com: Can such a certificate be potentially used to foul many visitors? [yes] Can the domain name present a potential risk? [yes] Does the CA know upfront about its potential (mis)use? [no, there is none at this stage] Can the CA intervene in the process before issuing a certificate for this domain? [no, there is no reason to intervene] Can the CA visit the corresponding site and verify its content? [no, it doesn't know which sub domain will be potentially used and when] Can the CA revoke the certificate immediately? [no, only after a fraud has been committed already and brought to the attention of the CA] The points above don't equally apply! IV reduces the risk greatly for wild card certificates, compared to DV only. > When we created our CA policy the rough consensus was that DV certs have > a valid place in the grand scheme of things. Correct, we have agreed on that already. > Given that, I think > wildcard DV certs are just as valid. I don't agree, see above. They are only technically valid, but of course you can disagree with me. > Such certs may not be suitable for > legitimate ecommerce purposes, but that's what EV certs are for. IV/OV certificate may be legitimate as well. It's the standard applied and distinction in the browser which makes them different. :-) -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
