This means I can't start getting amazon.com ssl certs unless I have control over one of the administrative email boxes of amazon.com
I don't want to speak for Gerv, but I don't believe he's concerned about CAcert or other CAs issuing fraudulent SSL certs for "amazon.com", he's concerned about CAs issuing SSL certs for misleading domain names like "amaz0n.com". (This is a "toy" example, a more real-world example would involve a domain using Unicode characters that are not in the Latin1 set but happen to look like "a", "m", "z", etc., in terms of their visual appearance to the user -- the so-called "punycode" attack.)
I think the key issues here are as follows:
1. As a general question, can or should CAs do anything to detect requests associated with misleading domains of the type that might be associated with phishing attacks?
2. What (if anything) can and should we (the Mozilla project in general, and the Mozilla Foundation in particular) do with regard to this? (For example, would this warrant putting additional requirements on CAs whose certs are pre-loaded into Firefox, etc?)
In this regard I've already expressed my opinion that our requiring WebTrust audits or even "strong" verification of applicants by CAs does not necessarily address the phishing problem in this context. But of course others are welcome to add their own thoughts on this...
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
