Ka-Ping Yee wrote:
This is further evidence that we cannot rely on CAs to maintain clear uniqueness of certificates, and that we must enable users to establish trust relationships without having to depend on CAs.
Certainly, relying on the CAs to maintain any uniqueness amongst the entire set is a ludicrous concept. I'm not sure where to begin in addressing this common but flawed assumption. I suppose we just have to wait until it is valuable enough for phishers to point out how easy it is to get a cert from anyone.
However, I think that we can ask a CA to police uniqueness within its own space. If it can't do that, I'd suggest it may not be capable of doing anything worth speaking of, and should be struck off. It's reasonable for a CA to look at a domain and search in its own database for any similar names.
The only mechanism I know of that enables this is the petname. See http://petname.mozdev.org/.
(If you know of other ways, I'm curious to hear about them.)
Yes, trustbar.mozdev.org does something similar in concept, but with logos which makes for a more sophisticated interaction.
I've just upgraded my Firefox to 1.0.2 and this time the FreeBSD version handles plugins, so I installed both of them. Unfortunately petname doesn't appear.
Trustbar sort of works, enough to use as a petname toolbar, but it generates a few foibles that make it demo quality only for now; probably as a result of the FreeBSD bugs more than anything else. In time I imagine these issues will be ironed out.
Great to see a booming market in experiments to deal with phishing!
iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security