Nelson B wrote: <snip>
First, thank you for taking my comments in the spirit in which they were intended, and for responding to them in such depth. I don't have time to respond to you in depth right now, but I do want to clear up one key point, as noted below.
> However with regard to SSL certs in particular I will note > that there are already CAs issuing "domain-validated" certs, e.g., the > Thawte ssl123 and Go Daddy TurboSSL services, and to my knowledge such > CAs are already in the default Mozilla set and usable with Firefox, etc.
I don't know what you mean by "domain-validated". Sorry. So I cannot speak to the worthiness of "domain validated" cert issuers.
By "domain-validated" certs I mean SSL certificates for which the CA verifies that the cert holder owns the domain for which the cert is issued, but does not do identity verification beyond requesting a name, credit card number and expiration date, and billing address for the card, and then doing some basic checking of that information: Is the card valid? Does the info match the info from the Whois database? Does someone verify the request's validity in response to an email sent to the administrative/technical contact for the domain? Typically this whole process is automated, with no humans in the loop, and certs can be issued within a matter of minutes.
Again, see the Thawte SSL123 and Go Daddy TurboSSL web pages for real-life examples of such services:
http://www.thawte.com/ssl123/ https://www.godaddy.com/gdshop/ssl/ssl.asp
However, I will say that I think domain registrars are almost ideal candidates to be SSL CAs. They need to do due diligence, but they're already getting the registrant's info. If they can verify it, and if registering the domain isn't a problem (e.g. with phishing), then who better than they to certify that so-and-so owns the XXX.XXX domain?
As it happens, I agree with you 100% on this point, and for various other reasons I believe that eventually most if not all commercial CA services will end up "embedded" into domain name registration services, and there will be few if any stand-alone commercial CAs anymore. I'll say more about this in my reply to Ram0502 (hopefully tonight), and may blog about it as well.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
