[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <242a0a8f0603161348s7625bfcav4c5b9a685f7caf9@mail.gmail.com>
Date: Thu Mar 16 21:48:53 2006
From: eaton.lists at gmail.com (Brian Eaton)
Subject: HTTP AUTH BASIC monowall
On 3/16/06, Valdis.Kletnieks@...edu <Valdis.Kletnieks@...edu> wrote:
> On Thu, 16 Mar 2006 15:10:50 EST, Brian Eaton said:
>
> > My read of that statement is that Geotrust sees nothing wrong with
> > their verification process and is not going to take any action to
> > prevent this from happening again.
> >
> > The incentives for the CAs are in all the wrong places. They suffer
> > no financial harm when they certify a false identity. Instead, they
> > make a quick buck.
>
> It's more subtle than that.
>
> Geotrust didn't do *anything* wrong. They issued a cert for www.mountain-america.net
> to the rightful owners of www.mountain-america.net. There's no reason to raise
> a flag here, as nothing nefarious has happened. They're not up for a financial hit
> for certifying a false identity, because they certified the real identity
> correctly, as per their procedures.
>
> There's little to nothing that Geotrust can do about the fact that after they
> properly certified mountain-america.net, it turned around and pretended to be
> mntamerica.net.
Your point is definitely valid, Geotrust did what they said they would
do. I'd like to see their process changed so that it included a more
serious check into the business whose web site they are verifying. A
good goal would be for a CA to be able to establish an identity well
enough that after six months they could find the entity to whom they
issued the certificate. Then an SSL certificate would imply some
degree of accountability.
Something simple from a technical perspective would be for CAs to have
a 90 day waiting period before issuing an SSL certificate. If the
cert was purchased with a stolen credit card, that gives plenty of
time for the fraud to come to light. That's obviously not a 100%
solution, but it would raise the bar a bit. A waiting period might
not be reasonable from a business perspective. I wonder what
percentage of CA revenue comes from mom and pop internet store fronts
that aren't willing to wait that 90 days?
I started digging around on Geotrust's web site looking for their
policy on issuing certificates and stumbled across a FAQ on
high-assurance SSL certificates. This sounds like a step in the right
direction.
http://www.geotrust.com/products/ssl_certificates/hassl_faq.asp
- Brian
Powered by blists - more mailing lists