"Perry E. Metzger" <[EMAIL PROTECTED]> writes: >An object lesson in this just fell in my lap -- I just got my first email >from a spammer that links to a web site that uses such a cert, certified by a >CA I've never heard of ("Starfield Technologies, Inc.") Doubtless they sell >discount "Enhanced Security" certs so you don't have to worry about paying >more money either. I haven't checked the website for drive by malware, but I >wouldn't be shocked if it was there.
There's another data source that's examined the effect of EV certs and browser blacklists on a much larger scale, namely the APWG statistics. They show an essentially flat distribution for phishing from January 2007 to January 2008, the period of phase-in of EV certs and the browser anti-phishing filters. In other words the attack stats show that the effect of EV certs was exactly as expected. (Hat tip to an APWG member who made this point during a conference talk recently). >I'm thinking of starting a CA that sells "super duper enhanced security" >certs So you could have EV certs, EEV certs, EEEV certs, EEEEV certs, a PKI equivalent of the 'aptitude -v[v[v[v[v[v...]]]]] moo' trick. Every couple of years when people realise that the current level of (E^n)V certs work no better than the (E^n-1)V certs that preceded them did, you add another 'E' and everyone gets to pay again for a new set of certs. The only potential problem is that all the CAs would have to agree to add more E's in lock-step, otherwise you'd get a tragedy-of-the-commons effect where the CA who adds the most E's the quickest wins. Peeeeeeeter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]