Ka-Ping Yee wrote:
This is further evidence that we cannot rely on CAs to maintain
clear uniqueness of certificates, and that we must enable users
to establish trust relationships without having to depend on CAs.
Certainly, relying on the CAs to maintain any
uniqueness amongst the entire set is a ludicrous
concept. I'm not sure where to begin in addressing
this common but flawed assumption. I suppose we
just have to wait until it is valuable enough for
phishers to point out how easy it is to get a cert
from anyone.
However, I think that we can ask a CA to police
uniqueness within its own space. If it can't do
that, I'd suggest it may not be capable of doing
anything worth speaking of, and should be struck
off. It's reasonable for a CA to look at a domain
and search in its own database for any similar
names.
The only mechanism I know of that enables this is the petname.
See http://petname.mozdev.org/.
(If you know of other ways, I'm curious to hear about them.)
Yes, trustbar.mozdev.org does something similar in
concept, but with logos which makes for a more
sophisticated interaction.
I've just upgraded my Firefox to 1.0.2 and this time
the FreeBSD version handles plugins, so I installed
both of them. Unfortunately petname doesn't appear.
Trustbar sort of works, enough to use as a petname
toolbar, but it generates a few foibles that make
it demo quality only for now; probably as a result
of the FreeBSD bugs more than anything else. In time
I imagine these issues will be ironed out.
Great to see a booming market in experiments to deal
with phishing!
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
