lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050216153305.GB26303@syjon.fantastyka.net>
Date: Wed, 16 Feb 2005 16:33:06 +0100
From: "Janusz A. Urbanowicz" <alex@...h.net.pl>
To: Christopher Jastram <cej@...ech.com>
Cc: Scott Gifford <sgifford@...pectclass.com>,
	bugtraq@...urityfocus.com
Subject: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.


On Mon, Feb 14, 2005 at 10:28:22AM -0500, Christopher Jastram wrote:

> >X.509/TLS is not for assuring if the server you are connected to is lawful.

> Could a CA be held liable for certifying a domain that was clearly
> intended to deceive for unlawful purposes?  Perhaps as an accessory to the
> crime?

I guess this is very interesting question from the lawyer's point of view.
IANAL. And it definitely depends of your and your CA and your case perp's
jurisdictions. My guess is also that law doctorates and whole careers were
built on cases less complicated than this.

> Do they have humans looking at the certification requests?  If a CA 
> looks at a certificate that's clearly intended for criminal purposes, 
> and certifies it, could they be an accessory to the crime?

They should have. I'm pretty convinced that at least for some personal certs
the certification is automatic. As for being prone for litigation for this,
see the previous paragraph.

Alex
-- 
mors ab alto 
0x46399138


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ