Florian Weimer wrote:
There are simply too many of them, and not all of them implement checks for conflicts. I'm pretty sure I could legally register "Metzdowd" in Germany for say, restaurant service.
This indeed is the crux of the weakness of the SSL/secure browsing/CA system. The concept called for "all CAs are equal" which is an assumption that is easily shown to be nonsense.
Until that assumption is reversed, the secure browsing application is ... insecure. (I of course include "no CA" and "self-signed certs" within the set of "all CAs.")
The essence of any fixes in the browsers should be to address the (rather fruitful) diversity amongst CAs, and help the user to make choices amongst the brands of same.
Some CAs are more equal than others... and the sooner a browser recognises this, the better.
These bodies could issue logo certificates.
These certificates would only have value if there is extensive verification. We probably lack the technology to do that cheaply right now, and the necessary level of international cooperation.
I'm not sure I understand how logo certs would work, as there is still the possibility of same being issued by CA-Nigeria and having remarkable similarity to those issued by USPTO.
Until the CA is surfaced and thrust at the face of the user, each browser's 100 or so root CAs will be a fundamental weakness. Including of course the absence of CA, which is something that is nicely hidden from the user.
iang
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]