[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050216153305.GB26303@syjon.fantastyka.net>
Date: Wed, 16 Feb 2005 16:33:06 +0100
From: "Janusz A. Urbanowicz" <alex@...h.net.pl>
To: Christopher Jastram <cej@...ech.com>
Cc: Scott Gifford <sgifford@...pectclass.com>,
bugtraq@...urityfocus.com
Subject: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
On Mon, Feb 14, 2005 at 10:28:22AM -0500, Christopher Jastram wrote:
> >X.509/TLS is not for assuring if the server you are connected to is lawful.
> Could a CA be held liable for certifying a domain that was clearly
> intended to deceive for unlawful purposes? Perhaps as an accessory to the
> crime?
I guess this is very interesting question from the lawyer's point of view.
IANAL. And it definitely depends of your and your CA and your case perp's
jurisdictions. My guess is also that law doctorates and whole careers were
built on cases less complicated than this.
> Do they have humans looking at the certification requests? If a CA
> looks at a certificate that's clearly intended for criminal purposes,
> and certifies it, could they be an accessory to the crime?
They should have. I'm pretty convinced that at least for some personal certs
the certification is automatic. As for being prone for litigation for this,
see the previous paragraph.
Alex
--
mors ab alto
0x46399138
Powered by blists - more mailing lists