Nelson Bolyard wrote:
Gerv agreed with this when he wrote:
Yes, and actually, SSL goes much further than DNSsec. The latter is
good to prevent DNS spoofs and is much-needed, but it does nothing to
protect the content.
(This was me, not Gerv, BTW.)
In fact, I have asserted many times that the ONLY way a CA can be sure of
domain validation is if the DNS for that domain is hosted by that CA.
I wouldn't say that is the only way, but it would be one very good way for
DV CAs to improve the worth of their certificates.
FYI, a good deal of GeoTrust resellers are actually hosters. Maybe
that's where the huge reseller number comes from. I know my hoster,
ev1servers.net, offers that in their administration web frontend for the
server. In theory, that can be relatively secure - they have a direct
channel to the server. They can even have the real name verified via a
credit card (and the banks probably use a far stronger verification than
even EV mandates).
That's the theory. In practice, that web frontend is cheap and probably
terribly insecure. It's dripping with root passwords (not mine) and
other stuff. A lot of support people have access to it.
This *huge* gap between theory and practice is what scares me about the
EV guidelines. Esp. when "site audit" is defined as stepping into the
lobby, I know who is going to perform site audits, and how. Think UPS
delivery boys.
--
When responding via mail, please remove the ".news" from the email address.
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
