Gervase Markham: > Eddy Nigg wrote: >> I wouldn't state it this way, otherwise we urgently need to modify the >> Mozilla CA policy! An attacker shouldn't be successful in such an >> attempt and CAs should have controls in place to detect such attempts. > > If that's true, then what controls to Startcom (to take an example) > already have in place to detect this sort of thing? > http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html > > How would you know if I was using such a flaw to intercept the email > traffic between Startcom and a site, in order to get a cert for that site? >
Hehe...you don't really expect me to disclose now publicly each and every control in place, but I can share some with you... For example we have personnel monitoring all CA activities around the clock. Amongst other things, we make sure to a reasonable extend that the subscribers are who they claim to be - even in the Class 1 (free) settings. Every site (to which the certificate is issued) is inspected at some point by one of our robots (the subscriber even receives a nice message congratulating upon successful installation ;-) ). WHOIS records are inspected and matched against the subscriber details both on software level and manually. Sample reviews are performed manually by our staff. Certificates are flagged for manual review by us according to certain criterion, including blacklists of known phishing sites, well known brands and domain names, financial institutions, other suspicious features etc, etc... All this on top of other controls, some of them of logistical nature and software based etc...I'm not claiming it's not possible, but I feel comfortable with what we do...specially since we don't rely only on electronics alone. But then there is the design of the infrastructure, which itself can make a difference already. I think that's enough for now... :-) -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
