Gervase Markham wrote:
But let me turn the question around: if "social engineering" means
you can't trust what anyone says about anything, how do you
establish anything to be true?
The government takes are of that, registering people when they are
born, issueing passports and ID cards for them. And we can check the
signatures against that.
That's the base of my argument, put shortly: Everything else is hearsay.
And this is why I am gently trying to suggest that not everywhere else
in the world is like Germany. You are quite happy with "the government
registers everybody when they are born"; in other countries, that
doesn't happen as people see it as an infringement of civil liberties.
*sigh* We had that. I just knew people would pick on that sentence. Yes,
I understand the political dimension. I just don't *know* how the US
ensures that passports are not issued to the wrong person or with wrong
names, but I'm pretty sure the DHS *does* make sure of that. So, either
use ID cards, which a lot of countries have and can be used easily and
safely, or the passport, which is not usually considered a threat to
civil liberties, and exists *everywhere* in the world. (And I think we
discussed enough the fact that a some US people don't have one.)
Or some other reliable way, depending on the country. Basically, you
need a signature that will hold up in court. Do ***what. ever*** is
appropriate in your country.
there's no signature (and check of it) necessary, that's the problem.
How would this check you speak of work?
*sigh*! That's the starting post of this thread.
ask him the question in person rather than over the phone doesn't seem
to me to be any more secure.
While "in person" certainly helps, that was not the point, rather the
verified signature. There are a number of weaknesses in using the phone:
* How to get the phone number (discussed enough)
* Intercepting calls. The whole SSL thing is about preventing
interception of communication. How can you claim it's not a significant
threat, esp. during the most important - and one time - verification
phase, I don't know. Intercepting phone may or may not be harder than
Internet, but intercepting VoIP (which many people and companies and
whole countries are using or starting to use) is probably even *easier*
than intercepting email, due to more indirections and channels.
* Social engineering, like imitating voices, calling the reception from
outside, claiming to be Fred on travel, and asking to have all calls
routed to some other number.
The list goes on.
I really don't see this "obvious" pattern of terrible CA behaviour
that people seem to think exists.
Well, what made us talk about EV in the first place?
Why is the 'cert holder' field complete crap in current certs?
I believe we are doing either:
Foo Boot and Shoe Corp dba. Clark's Shoes
(with dba standing for Doing Business As)
or
Clark's Shoes, xxx Foo Boot and Shoe Corp.
(with xxx standing for some abbreviation which means the reverse of dba).
They should definitely be separate fields. Both for general format
design, and because the "dba" won't be understood *at all* by non-US/UK
people, and probably not even the concept. I would have thought "dba" is
a form of corporation like "Inc." or "GmbH", so not even looked it up. I
was very confused first time I saw it, even though I had context.
--
When responding via mail, please remove the ".news" from the email address.
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
