* Ben Bucksch: > We need to connect online business with real world business. I want to > have somebody to sue - who won't vanish when poked at. And I want that > the info in the cert is actually correct. > > I really thing that every CA-issued certificate must be verified using > the following steps: > > 1. Using the official state register of companies to verify company > name and representing natural person
I don't think the register of companies is useful for this purpose. Anyone can get on it. > 2. Acquiring written signature (original) of that person Not very useful in itself. > 3. Checking the signature against the ID card / passport of that person Good fake passports are usually cheaper than government-issued ones. > This, and pretty much only this, will ensure that the card holder > really is who he claims to be, in real life, as seen by the government > and courts. Thus, before EV, I assumed that the above is performed for > the $100/year certs. Part of the reason for the price drop was that there were so few impersonation attacks against CAs. Experience tells that there is close to zero risk for the CA, so it does not make sense to spend money on better checks. There is simply no liability you need to shift. I don't see why this is going to change with EV certificates. And since there are so few attacks, we haven't got a good threat model, either. Personally, I think that in order to make a difference, EV certificates must verify not only that the certificate holder is in control of embedded domain names (the usual EV CPS is basically equivalent to domain-control certificates in this area), but also that the certificate holder has got all the relevant trademark rights. Wildcard certificates would probably have to go, too. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
