At the moment, the fact that someone has to make at least some effort to prove that they are who they say they are, and provide verifiable contact details, is the only mechanism (however weak it may be) that we have for tracking sites to people. If a phishing site is forced to buy an SSL cert to make themselves more genuine, there is at least some sort of audit trail back to the phisher.
CAcert's policy of giving certs to anyone with a working email address undermines this. This reduces the amount of verification a cert gives to "if I see www.amazon.com in the URL bar, I'm on
www.amazon.com". And, with the new punycode-based identical-glyph
character attacks, that's currently no guarantee at all.
You're making it seem like CAcert will issue SSL certs for any domain to "anyone with a working email address".
For them to issue you an SSL cert you have to add the domain to your account. When you want to add a domain you put in the domain name (example.com) and then it offers you a choice of verification addresses of:
[EMAIL PROTECTED] hostmasterexample.com [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
which it then sends an email to the chosen address. In the browser it says:
The domain 'example.com' has been added to the system, however before any certificates for this can be issued you need to open the link in a browser that has been sent to your email address.
The contents of the email are as follows:
Below is the link you need to open to verify your email address. Once your address is verified you will be able to start issuing certificates till your hearts' content!
<link snipped cause it was of my actual domains>
Best regards CAcert.org Support!
This means I can't start getting amazon.com ssl certs unless I have control over one of the administrative email boxes of amazon.com and if *that* is the case then either I work for Amazon and this is valid or Amazon has other things to worry about than rogue sites such as their email system's security. CAcert's policy with SSL certs is just that you have to have control of the domain to get certs for it.
As to their email certs, they don't put your real name on the cert until your identity is verified by at least 2 people in their "web of trust" PGP style. It just says "CAcert User Cert".
I'm not saying they should or shouldn't be included. I'm just trying to make sure they're not being mis-represented. I would like them to be included, but I doubt they ever will be.
-Dave _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
