Alex Wight wrote:
I believe the main purpose of any SSL CA is simply to vouch for domain name
ownership (how they do this is beside my point).
We wish! But, no, check it out:
"This holiday season, enable customers to transact
securely online, offline and over mobile devices."
SSL was _purposed_ to protect credit card and other
transactions (these days, primarily online banking).
A CA "Issues SSL Certificates to enable authenticated,
128-bit SSL encryption that secure e-commerce and
online payments across the internet."
If it was simply to vouch for domain ownership, then
we could do that the way Tucows and other registrars
do it by sending an email. This would be wonderful,
and would save everyone a lot of money and time.
(Which is what CACert is doing! There's no reason
why anyone can't do it on the fly...)
But that's not what CAs were set up for, originally.
If any efforts are done to
limit or prohibit misleading domains, I feel it should be done at the
registrar level. Doing it at the CA level will only limit phishing for
sites that use SSL,
Recall, phishing is an attack against commerce.
SSL was meant to protect commercial activities.
If SSL is not intended to stop things like spoofing
domains (phishing) to the user, what is it for?
If we fix phishing (and fraud in general) by changes
in the domain system, does that mean we can stop
using SSL?
I would only suggest that we use our collective influence to try and get a
reasonable policy adopted by ICANN which will define and enforce acceptable
limits of similarity to already registered domains. Tough nut to crack, I
know, but I feel it's the right place to start. Any enforcement at lower
levels (like an SSL CA) is, in my humble opinion, a band-aid-like fix that
doesn't go to the root of the problem.
This is really wierd. The SSL CA promises trust.
Go check it out on the websites of the CAs **.
Yet, you are suggesting that ... anybody but the CAs
should be responsible for controlling of potentially
fraudulent domain activities? To date, anyone can
create any domain. All the domain system does is
create a record for name-IP translation and record
who owns that name. Is that the system you want
to change?
iang
** Whoops! Spoke to soon ... has anyone noticed
that Verisign have dropped the word 'trust' from
their logo and site?
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
