Andrews, Rick: > I'd also like to add my two cents from some time spent studying > "confusable" domain names that could be used for fraud. The solution, > IMO, if one can be crafted, must be done upstream at domain name > registration time.
This is from our perspective wishful thinking! Many registrars sell just about anything they can no matter what. Neither do they perform any background checking. CAs don't have any control over that and don't/shouldn't rely on information found at registrars. Nor do all registrars have policies in place to prevent the registration of such domain names in first place (some do have trade mark related policies). > If a domain name has been lawfully purchased, and > none of the CA's vetting fails (company is legit, company owns the > domain name, etc.) the CA has no grounds for refusing to issue a cert. > Which means(as in your example above) that the CA has performed enough background research in order to clearly identify the subscriber. The issue at hand is about domain validated certificates generally and domain validated wild card certificates in particular where control of the sub domain doesn't exist from the CA perspective. > It would be like a car salesman refusing to sell me a car because he > thought I was going to use it in a crime. > Rick, I'm sure Verisign would flatly refuse a certificate for paypa1.com or paypal.domain.com. Nor do I believe that Verisign issues unvalidated (DV only) wild card certs in first place. CAs aren't really comparable to car vendors, but rather to the authority approving the car for public consumption and/or issuing the licenses in order to drive the car. Just think about it... ;-) -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
