* Ben Bucksch: > Now, 3 years later, some scammers and spammers actually notice me and > set up fake SSL sites with my certs.
Not just fake sites. Some of the OEM software spammers use valid SSL certificates for the checkout procedure, e.g.: <https://secure.securesoftmarket.com/> For those trying to figure who has issued the certificate: Equifax (the data broker) sold the root to Geotrust, which was then bought by Verisign. > I smile. I fear that most of the historic root certs and many of the newer ones have problems comparable to Comodo and Verisign. This is a good situation for the CAs because it limits what browsers and end users can do. It's difficult to select business partners who do not suffer from those backyard (or frontyard) problems, so why bother at all? Usually, if the industry is not totally rotten, some players clean up the field, often using the court system (we see attempts at that in the antivirus market, for instance). I doubt that this will happen with certificates because it's hard to see why issuing a certificate creates liability, while delegating a domain does not. And this is a matter many players will only touch with a ten-foot pole. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
