[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <42136B3B.8050603@sdf.lonestar.org>
Date: Wed, 16 Feb 2005 10:48:11 -0500
From: bkfsec <bkfsec@....lonestar.org>
To: Gwendolynn ferch Elydyr <gwen@...tiles.org>
Cc: Scott Gifford <sgifford@...pectclass.com>,
Neil W Rickert <rickert+bt@...niu.edu>, bugtraq@...urityfocus.com
Subject: Re: International Domain Name [IDN] support in modern browsers allows
attackers to spoof domain name URLs + SSL certs.
Gwendolynn ferch Elydyr wrote:
>> Well, I meant more accountable than CAs are. I still think that that
>> statement is accurate if you take my meaning.
>
>
> Actually I don't take your meaning. I'd appreciate it if you could
> spell out why you think that one organization paid to provide trust is
> different from another organization paid to provide trust.
>
Simple: relative physical location.
The local BBB is accountable to local laws. CAs are spread throughout
the world and are global in nature. As a member of a local community, I
can choose to familiarize myself with those regulations, understand
them, and use them against the BBB if they violate their trust. I can
also choose to go on a crusade against the local BBB.
Listen, I'm sure that you have a bone to pick with the BBB and I have no
quarrel with that. My point isn't that the BBB is a reputable, great
organization (I don't really believe that it is). My point is that the
CAs aren't trustworthy in that way and are even less trustworthy in my
view than the BBB.
I think that deep down we're agreeing on the point that they're
inherently untrustworthy. My point in saying "if you take my meaning"
was to hi-light that rather than focus on this relatively minor
nitpicking of point. I'm not the first one in this thread to bring up
the BBB. So take your point up with the person who did bring it up, please.
-Barry
Powered by blists - more mailing lists