Frank Hecker wrote:
IMO the issue of authenticating the identity of certificate applicants
is to a large degree orthogonal to the issue of preventing phishing
attacks based on misleading domain names. It's perfectly possible to
imagine a CA granting an SSL certificate to a company with a
misleading domain name...
Right. This is one reason why the branding ideas
of Amir & Ahmad converge with my ideas so that
both the site's logo and the CA's logo appear on
the chrome. It doesn't stop a CA issuing a duff
cert, but if VeriSign were to issue a diff cert spoofing
an existing customer, it would be a much more serious
thing than if Comodo were fooled over a Verisign
customer.
So, if the CA logo is also showed with the site logo,
then the user will police the space between the CAs,
by noticing the CA has changed. And the CA will
police the space within its own cert-buying space,
by matching all requests to its existing customers.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
