Ian G
Tue, 29 Mar 2005 05:41:01 -0800
Hendrik,
in a lot of the below, you are disagreeing in the detail of what I wrote, but agreeing in the big picture. What I was trying to say was that looking at whois is a roughly bad test, like all the others, and ruling it out isn't going to be a useful addition to the policy.
On the specific issue of RFC 2821, my point was to show that RFC 2821 may be a written down document that you all abide by, but in the real world it means nothing much more or better than anything else. Looking at the postmaster address is just another 'bad test' among dozens of others.
Literally, all these tests are bad. They are all fakeable in some sense or other. So the only thing that a CA can do is do more and more of the tests, and hope that this raises the barrier - the cost - enough such that it isn't worth it to an attacker.
In such a world, Frank's policy really has a lot of trouble deciding what to rule out and what to rule in.
iang
Ian G <[EMAIL PROTECTED]> writes:
The way identity and control tests fundamentally work is that they take as many pieces of information as they can get economically and confirm each one as being consistent.
This only works if an attacker is unable to fake a consistent picture.
So for identity and control purposes, looking at the whois registry quite a reasonable idea.
It may be a good idea in some cases, and in other cases it is not. Therefore I think that looking at whois information does not provide a generally reliable way to increase the security of the identification process.
It's when the number of tests sink down to 1 that it gets a bit silly, but unfortunately, it's very hard to say where the line is to be drawn. In some countries, looking at the whois will be quite authoritive.
Maybe. But it is definitely out of the scope of a browser's CA policy to address such issues.
Probably the only way to make sure that only the domain owner receives the mail is to send it to [EMAIL PROTECTED]
How does that make you sure?
RFC 2821.
Speaking as an ordinary domain owner, I don't receive email at [EMAIL PROTECTED] The only reason I know this is that there is about one and only one place on the Internet that tells me my mail is not being accepted because I don't receive email to postmaster! I've never bothered to change this because it isn't obvious - and all the other domains I know of (across about 6-10 different administrations) probably don't have it set either.
Well, if you have misconfigured your system, you cannot participate in such an authentication process. Doesn't seem to be too harsh to me.
However, the other problems (MITM, password sniffing) mentioned in Juraj Bednar's article still persist. It seems to me that it is a really bad idea if domain control certs are included in browsers the same way as certs with proper verification.
They are already there, aren't they? One would need to propose that they be taken out.
I have already thrown out some, but I don't have a complete list.
Another problem that came to my mind is how to deal with malicious CAs. One way would be to make the costs of getting included in the browsers higher than the possible profits out of malicious use of the CA. But this is not really desirable and probably only a short-term solution since the possible profits are increasing over time.
Yes, that whole area is a bit of a deal killer. The cost of a CA is in the order of 100k, more and less. (Anybody got any figures on that?)
The cost to implement and run a CA that meets the requirements set in the policy draft is probably lower by one order of magnitude.
Hendrik
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
mozilla-crypto@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-crypto