Eddy Nigg wrote:
On 11/15/2008 05:19 PM, Florian Weimer:
* Alaric Dailey:
DNSSEC is an assertion of validitity of the DNS.
EV certs assert that the business behind the cert is legit.
Only that a legal entity exists (whether its "legitimate" is not
checked). EV certificates are routinely issued to organizations which
do not run the business which eventually uses the certificate.
Can you please back up your claim and provide us with a few examples?
Since this happens routinely, I'm sure you won't have a problem
providing us with some...
Businesses are bought and sold all the time. A good reputation is a
fungible asset that is often part of the valuation process in the sale
of a business. The extreme example is the "bustout," where organized
crime takes over a business with a good reputation and uses it as a
platform for criminal activities (a favorite is stock brokerage.)
It's happened a number of times online. There's the old scheme of the
crook who finds an eBay merchant with an excellent feedback score, buys
his ID and his computer (getting all the cookies and MAC address etc.
with it) and sells a thousand imaginary laptops.
There are companies like Toysmart.com, a good company that ran into
trouble in the dotcom bust and sold itself to some mysterious entity
that was out to make interesting use of customer information,
disregarding of course all of Toysmart's privacy statements. Some good
investigative journalism shined the spotlight on one of Toysmart's
stockholders, Disney, which bought it out at the last minute and killed
it to protect their own reputation.
Businesses with good reputations and EV certificates can get into
trouble. When that happens, the reputation and certificates become a
very visible asset to buyers with money and bad reputations.
WK
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
