| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Feb 2005 16:33:06 +0100 From: "Janusz A. Urbanowicz" <alex@...h.net.pl> To: Christopher Jastram <cej@...ech.com> Cc: Scott Gifford <sgifford@...pectclass.com>, bugtraq@...urityfocus.com Subject: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. On Mon, Feb 14, 2005 at 10:28:22AM -0500, Christopher Jastram wrote: > >X.509/TLS is not for assuring if the server you are connected to is lawful. > Could a CA be held liable for certifying a domain that was clearly > intended to deceive for unlawful purposes? Perhaps as an accessory to the > crime? I guess this is very interesting question from the lawyer's point of view. IANAL. And it definitely depends of your and your CA and your case perp's jurisdictions. My guess is also that law doctorates and whole careers were built on cases less complicated than this. > Do they have humans looking at the certification requests? If a CA > looks at a certificate that's clearly intended for criminal purposes, > and certifies it, could they be an accessory to the crime? They should have. I'm pretty convinced that at least for some personal certs the certification is automatic. As for being prone for litigation for this, see the previous paragraph. Alex -- mors ab alto 0x46399138
Powered by blists - more mailing lists