Florian Weimer wrote:
I don't think the register of companies is useful for this purpose.
Anyone can get on it.
Sure you can get on it, but under which name? You can't incorporate
"eBay GmbH" in Germany, because there's already a company in that name,
nor "eBay Internet Services GmbH" or whatever you make up.
Good fake passports are usually cheaper than government-issued ones.
For German passports? Please tell me suppliers :).
(Beloved government agency of any kind: This was a joke, or rather
purely out of interest.)
Experience tells that there is
close to zero risk for the CA, so it does not make sense to spend
money on better checks.
Fine, if they think so, let them bet their money on it. *Their* money,
not that of others.
And since there are so few attacks, we haven't got a good threat
model, either.
I posted a threat model a year or longer ago on n.p.m.crypto. S/MIME is
pretty much useless due to the free, automatically issued certs. Read
there for details.
Personally, I think that in order to make a difference, EV
certificates must verify not only that the certificate holder is in
control of embedded domain names (the usual EV CPS is basically
equivalent to domain-control certificates in this area), but also that
the certificate holder has got all the relevant trademark rights.
Makes sense. Add fair checks to the requirements as you want, but those
3 I mentioned are the minimum, IMHO.
--
When responding via mail, please remove the ".news" from the email address.
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
