* Ben Bucksch: > On 03.01.2009 18:09, Florian Weimer wrote: >> >>> Are you saying that Fluff, Inc. could get a cert for mozilla.org, >>> assuming Fluff, Inc reveal its legal identity? >>> >> >> Yes, that's the essence.
> Well, that's a hole large enough that you can drive a trunk through. It's suggested that some domain validation is involved as well. But certain organizations face quite a few difficulties accepting mail at certain addresses or putting literally random stuff on their web site, so I'm not surprised that those requirements have been relaxed. (And matching WHOIS can't be made mandatory because there might not be any WHOIS to match, or WHOIS data which contains usable contact information in the context of the application.) There are simply no official records linking the Mozilla Foundation to mozilla.org (if it actually owns the domain, which isn't 100% clear to me). This means that it's never possible to link the legal side (where you've got registers of companies, notaries public, and whatnot) to the DNS side (where there's little to no regulation, depending on the TLD). On top of that, it's generally very hard to prevent attacks which involve non-existent entities (like obtaining database locks on records which don't exist). I don't think the EV guidelines completely deal with this issue, and rightly so. However, EV certificates are sometimes marketed as if they guarantee that the entity is trustworthy (and is not trying to trick you into some phishing scam, for instance, or make poor investment choices). > I'm sure it's pretty easy to set up shell companies etc.. Here's a German article on a related type of fraud that actually occurs: <http://www.spiegel.de/spiegel/0,1518,druck-598487,00.html> Apparently, failed real companies are routinely sold to fake shell companies, bypassing normal bankruptcy laws. Along the way, the willingness of certain notaries certify almost everything is exploited. 8-( However, my main point is that under the EV process, corporations can sponsor EV certificates for organizations which can't get them directly. We'll see if addons.mozilla.org is considered sufficient proof of that claim. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
