For this position to hold up I think it would also have to be the case that a phisherman would not find value in buying the more expensive certificate. If an extra US$500 gets a larger return, perhaps $50,000 instead of $10,000, I think they'll spend the 500. Do you agree? Do you still feel safer with the identity certificate?
You are assuming that the amount of information the phisher has to reveal about himself is constant in the two cases.
The idea of the high assurance cert is that more checks are done, and so it's more likely (ideally, it's certain) that the police will be able to go knocking on the door of its owner if there's any funny business - i.e. they know where that door is, and which person behind it to arrest.
If there is a spoof involving a high assurance cert, the CA is shown to have done inadequate checks and it shrugs its shoulders, we bust them down to being a low assurance cert.
Gerv _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
