Frank Hecker wrote:
David Stutzman wrote:
This means I can't start getting amazon.com ssl certs unless I have
control over one of the administrative email boxes of amazon.com
I don't want to speak for Gerv, but I don't believe he's concerned
about CAcert or other CAs issuing fraudulent SSL certs for
"amazon.com", he's concerned about CAs issuing SSL certs for
misleading domain names like "amaz0n.com".
Yes, I'd say that is the issue. Bear in mind that
this is *not* happening now as it is too easy to
attack without using SSL at all. The name of the
game is to force the phishers into using SSL, in
which case the obvious attack is for phishers to
acquire amaz0n.com as a cert issued by noname.com.
I think the key issues here are as follows:
1. As a general question, can or should CAs do anything to detect
requests associated with misleading domains of the type that might be
associated with phishing attacks?
I think it reasonable to ask them to detect for
misleading domains amongst their own customers.
2. What (if anything) can and should we (the Mozilla project in
general, and the Mozilla Foundation in particular) do with regard to
this? (For example, would this warrant putting additional requirements
on CAs whose certs are pre-loaded into Firefox, etc?)
In terms of requirements, I can't think of one that
a phisher would be dismayed by. If they cared, that
is. Even if they have trouble picking up their own
certs, about 20k boxes are hacked every month,
leading to plenty of stolen valid certs.
In this regard I've already expressed my opinion that our requiring
WebTrust audits or even "strong" verification of applicants by CAs
does not necessarily address the phishing problem in this context. But
of course others are welcome to add their own thoughts on this...
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
