On Thu, 16 Mar 2006 15:10:50 EST, Brian Eaton said: > My read of that statement is that Geotrust sees nothing wrong with > their verification process and is not going to take any action to > prevent this from happening again. > > The incentives for the CAs are in all the wrong places. They suffer > no financial harm when they certify a false identity. Instead, they > make a quick buck.
It's more subtle than that. Geotrust didn't do *anything* wrong. They issued a cert for www.mountain-america.net to the rightful owners of www.mountain-america.net. There's no reason to raise a flag here, as nothing nefarious has happened. They're not up for a financial hit for certifying a false identity, because they certified the real identity correctly, as per their procedures. There's little to nothing that Geotrust can do about the fact that after they properly certified mountain-america.net, it turned around and pretended to be mntamerica.net.
pgpsxZrIYaKsv.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
