Thawte SSL123:
This service requires generating a CSR with at least CN, coutry, and state filled in; CN is used for the server domain name.
It seems (not that it's important) that there's no checking of the Country and State values you give?
...Go Daddy TurboSSL:
that Go Daddy (unlike Thawte) requires entering your verification code (or whatever it's called) that's printed on the physical card, a nice touch.
Well, it makes it less likely a stolen card number can be used - you need the card, or access to a database with the verification code.
Cert approval was fairly quick; I was emailed a ZIP file containing the issued cert, an intermediate CA cert required for proper chaining, and installation instructions for a variety of web servers. I installed the certs into Apache, and you can see the results at
https://www.hecker.org/
</me visits domain and inspects cert>
Blimey, our cert examination UI sucks rocks. <sigh>
This whole situation is an disaster waiting to happen, isn't it? The only reason phishers aren't exploiting this is because they don't need to yet - there's enough dumb people out there who are happy to type all their details into an insecure form.
Gerv _______________________________________________ mozilla-crypto mailing list mozilla-crypto@mozilla.org http://mail.mozilla.org/listinfo/mozilla-crypto
