Frank Hecker wrote: <comments on usefulness of SSL cert info beyond CN snipped>
Incidentally, I want to correct a possible misapprehension that might arise from my comments here and elsewhere:
I am quite interested in seeing Firefox, Thunderbird, and our other products implement effective anti-phishing strategies. I just don't think that the SSL protocol and the CA infrastructure can bear all or even most of the burden of protecting users from phishing. I think basic SSL checks related to domain name have to be supplemented and coordinated with other measures, which might include site blacklists, automated comparisons of site names with a whitelist of common phishing targets, and other heuristics designed to present the user with a qualified determination that "yes, this site is likely legitimate" or "no, it's no legitimate".
I would compare the role of PKI in the context of web site phishing attacks to the role of Sender Policy Framework (SPF) and related schemes in preventing spam: Neither are complete solutions (although often touted as such in a "marketing" context) but rather must be supplemented by other measures, and both impose costs that have the potential to negatively impact perfectly legitimate use cases.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
