It is not easy to decide what makes for a dodgy cert and what does not. Here's a case of an apparent anti-Virus tool that is being sold under false pretenses.
http://www.edbott.com/weblog/archives/000496.html
(It looks like paid spyware to me ...)
The blog investigator dug deeper and found that the cert they were using was issued to ChoicePoint. Whether Choicepoint are involved or not is not clear, as this is a very murky case.
I think this highlights that it is simply not possible to not issue dodgy certs. There is nothing a CA can do, nor MF can do, to guaruntee no fraud, and no failures. Piling in more and more restrictions doesn't help; as, if the money is there to be stolen, procedures are easy to breach.
About the only thing that is likely to help in cases like these is reputation. ChoicePoint has lost a lot of market value (5%?) from the recent episode, and in future users aren't going to be that happy about their cert. That information needs to be displayed.
iang
actually,
if the CA's were forced to deal with someone, in person, with photo id, and papers, just like getting drivers license, sin card or bank account, then there would be far less chance of mis issued certs.
but that would take legislation, in every single country to be effective.
Jaqui G _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security