Frank Hecker wrote: > 1. As a general question, can or should CAs do anything > to detect requests associated with misleading domains of > the type that might be associated with phishing attacks?
I believe the main purpose of any SSL CA is simply to vouch for domain name ownership (how they do this is beside my point). If any efforts are done to limit or prohibit misleading domains, I feel it should be done at the registrar level. Doing it at the CA level will only limit phishing for sites that use SSL, whereas enforcement at the registrar would limit phishing on regular HTTP sites, SSL, FTP, etc... In my opinion putting the onus on the registrars is the right place to enforce it to start a trickle-down effect that would eventually protect CAs (and users) from having to worry about things like this. Frank Hecker wrote: > 2. What (if anything) can and should we (the Mozilla > project in general, and the Mozilla Foundation in > particular) do with regard to this? (For example, would > this warrant putting additional requirements on CAs whose > certs are pre-loaded into Firefox, etc?) I would only suggest that we use our collective influence to try and get a reasonable policy adopted by ICANN which will define and enforce acceptable limits of similarity to already registered domains. Tough nut to crack, I know, but I feel it's the right place to start. Any enforcement at lower levels (like an SSL CA) is, in my humble opinion, a band-aid-like fix that doesn't go to the root of the problem. -Alex _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
