I believe the main purpose of any SSL CA is simply to vouch for domain name
ownership (how they do this is beside my point). If any efforts are done to
limit or prohibit misleading domains, I feel it should be done at the
registrar level. Doing it at the CA level will only limit phishing for
sites that use SSL, whereas enforcement at the registrar would limit
phishing on regular HTTP sites, SSL, FTP, etc...
While this is true, economic arguments make it extremely unlikely that this will ever happen at the registrar level.
.com domains cost < $5 per year in bulk, and it's a market with massive competition and lots of automation. $5 is not sufficient for a registrar to do any serious checking. It's probably not enough to even have a human scan the name and see if it matches a 'famous' site they know of.
SSL certificates cost $400, are issued by a smaller number of companies, and are used to protect financial transactions. There is a stronger onus on the CAs to know who they are handing them out to.
In addition, any scheme is realistically going to be a post-hoc one - where phishes are identified, and the perpetrators tracked down from information on file. Denying domains or certificates to people "because it's too similar to an existing domain" would cause an outcry. And how do you measure "too similar"?
The chance of getting to a world where the CA keeps the info necessary to go after phishers is much, much higher than the chance of getting the registrars to do something.
Anyway, if you don't have SSL, you are vulnerable to DNS spoofing anyway, so you can never be certain you are at the right site, whatever the URL bar says.
Gerv _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
