Tuesday, Tuesday, December 04, 2001, 3:30:22 PM, Darryl Green wrote: >> > 2) More importantly I would like to discuss the meaning of SSL: >> > QuickSSL certificates do not verify identity. The fine print on >> the QuickSSL >> > certificate acknowledges that this is the case (Organizational Unit not >> > Validated -- or some such language appears)
> Identification is not completed to the same degree as traditional Web > Certificates Which isn't a bad thing. To be honest, it's no more than what the current CA's do. Thawte: I sent a copy of my drivers license, which matched the registration information. With more registrars, I can change the information in the whois rather easily to match whatever identity I want the cert to be issued in the name of, and provide the most flimsy documentation to get it. > The CPS States -- "GeoTrust will verify that the Subscriber had the right to > use such Domain Name at the time it submitted its application." --- This is > not identity. To be honest, that is all the current CA's do. > No matter though.. the more important conversation is whether or not that > 'identity' component is important. The important conversation is just how different the two really are and if the difference is in fact worth the exorbitant prices being charged by CA's today for what should be a service worth no more than the cost of a single month's worth of hosting. >> >> Sure they do, they verify it to the same standard that DOMAIN >> REGISTRARS like Tucows do for transfers of domains. If this standard >> is ok for domain transfers, then it should be ok for SSL Certs. > This is not exactly the same thing. The 'True' identity of the counterparty > in a domain name transfer isn't all that important. The important item is > that 'Whoever-it-is' needs to have control of the domain name for the > purposes of transferring it. The Admin contact is the de facto owner of the > domain and has the right to control its transfer (it doesn't matter if the > e-mail address is [EMAIL PROTECTED] and the contact info says First > Name: Darth, Last Name: Vader). However, if you are going into a contract > of sale for that domain name, the contract of sale has to be with real > individual (person or business). You shouldn't contract with an Alias. You > will never be able to enforce it. > An e-commerce transaction is more analagous to the contracting process than > the transferring process. The difference here is slight if at all. The Certs are not used to validate contracts in any way. As a matter of fact, read the Entrust and Thawte's CPS's, the SPECIFICALLY DISCLAIM any responsibility for the identity of the certificate holder anyway. What good is their "higher" hassle identity verification if they don't stand behind it anyway? >> Once >> the domain has changed hands in a transfer, getting a cert for it >> would be easy. There is no inherent benefit of the other CA's >> practices in this regard over Geotrust's. > True if you are always dealing with already trusted entities. If I am giving > my payment to an Amazon.com web site and get confirmation e-mails from > [EMAIL PROTECTED], i have good evidence that shows that my transaction was > with Amazon and I know who controls the domain name. If I am dealing with an > unknown entity, the situation is different. If I order a set of Pirelli > tires from HayBobs.com (no slight intended if haybob really exists), I > forward payment and then never receive my tires. Hay Bob doesn't really > exist, none of the contact info in the whois is legit. I have no recourse. > If I gave them payment over a secure connection... I know who he is and can > seek recourse. Doesn't mean that any of the info in the cert is correct either. And to be honest, the "verification" of that is not occurring in any of the CA's processes. >> I bet they are. This presents a serious threat to the "old style" way >> of doing things, and threatens to turn the entire SSL Cert market on >> its head. I bet they want to stop it. > It's true that there is alot of self-interest to wade through (you and I > both have it as well). However, on balance, I believe that for the Internet > to become the dominant means of transferring goods and services of all > values there will have to be a means of binding off-line identity with > on-line identity. Consumers don't seem to think this is as important an issue as you do though. > This will be necessary for dispute resolution. The CA's don't provide this now. They specifically DISCLAIM any such responsibility as a matter of fact. The last thing we need is to see the CA system try and increase its mission. There are other methods for achieving these types of goals, including BBB type programs. >> >> I say screw 'em. > Fair enough, but we can't ignore them. Microsoft has stated that they will > revoke the browser root for companies that don't pass the WebTrust audit. So what? I think that those wanting to break this system need to start thinking out of the envelope. You can get your CA certs into those user's systems without the browser makers. It's time to end the browser makers control over this industry, they have no inherent right to dictate the terms. >> Bullocks. The identity is verified to the same standard required by >> domain registrars. >> > Bullocks...Good word! Have you been watching re-runs of MASH? Nope, just like the word :) -- Best regards, William X Walsh <[EMAIL PROTECTED]> -- Webcertificates.info SSL Certificates for resellers from $49ea --
