While third-party verification is not the real issue, the issue is: can the third-party itself be trusted? Who remembers the Verisign debacle from a few years ago with the Class-3 digital certificates issued through a social engineering attack, in the name of Microsoft?
http://news.com.com/2100-1001-254586.html?legacy=cnet http://www.eweek.com/article2/0,1895,1243314,00.asp In the real world, we trust the Secretary of State (at least, in the US) to "authenticate" businesses. They are the only ones authorized to issue "Certificates of Inforporation" that legitimizes a US business. (Similar agencies perform such functions in other countries, to the best of my knowledge). It is my belief that what is needed is a new trust model, where only the digital certificates of CA's of a federal entity of a nation (such as that of the Office of the President) is in the browser, and is placed in commercial browsers through a very elaborate protocol. The Federal CA in turn, will issue the CA certificates of the states that are part of that federal entity (the 50 US states, for example), who in turn will issue the CA certificate for the office of the Secretary of State in each state. For smaller nations, the Federal CA might issue the certificate to the agency that incorporates/licenses business entities, directly. The OSOS CA will accept self-signed CA certificates from any business entity, just as it accepts "self-signed" paper applications to create a new business entity. Once the paper "Certificate of Incorporation" has been issued, the Base-64 encoded self-signed certificate of the business entity is signed by an OSOS CA-issued certificate, chaining upto the Federal CA certificate in the browser, thus establishing the legal business entity on the internet. Now, when the browser sees a self-signed certificate that does not chain upto a Federal CA of some nation, it can legitimately state that the server certificate appears to be from an unknown business entity which does not appear in the directory of the local authorizing government agency. I don't know of many users who will continue to click through such a message no matter what their business need is. Third-party CA operators (including StrongAuth) should only be in the business of building and operating PKI's - not establishing trust. Until such a trust model, and a supporting protocol to use it, is created, we can expect certificate trust problems to only exacerbate. Arshad Noor StrongAuth, Inc. Julien Pierre wrote:
What other way does the average non-technical user have to know that the secure website is the one truly intended and not a fake, except than to rely upon a third party to do the verification for them ? Self-signed certs certainly don't provide any of that type of assurance.
_______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
