Hi Ian, > OK, so your answer is the browser doesn't > need to do anything about it because it can > just trust CAs to do the job. No no, on the contrary. CA's should look after their product and control what they issue. Ideally they should also co-ordinate their effort to minimize the number of issued 'bad' certificates.
In an old post regarding IDN security I spoke about 3 lines of defense: browser (client software), DNS and CA. Of course the DNS line doesn't apply here, but the browser and CA do. It's great if the browser checks for wildcard with large domain coverage. This way the end user is protected from non-CA signed certificates as well (or from certificates signed by a CA, whose checks aren't quite as tight as others). Cheers, V.
smime.p7s
Description: S/MIME cryptographic signature
