That would be incomplete :) What you should say is that
"Gervase thinks GeoTrust certs are not suitable for commerce!"
If you want to be like that, then the correct text is:
"If you put your CC number into here and get ripped off, there's no possible way you can find the guy who did it."
Did you read their paper? They are claiming that the
identity traceability is so unreliable that ... you
can't rely on it.
No, they are claiming that current verification methods are easily enough spoofed that the identity data places in certs is so unreliable that... you can't rely on it. Which is true.
However, that does not preclude CAs doing better verification. Whether they put the results of that into the cert, or just wait for my friendly policeman to ring them up and ask for it, doesn't really matter.
See, it's an impossibly high barrier: if any crook can get a duff cert, it undermines the whole system. But with 100++ CAs out there, there will always be a loose system somewhere. So when some SSL cert gets used to fleece a thousand innocent americans of their hard earnt credit points then they come and sue *you* for saying that the cert was good for commerce. Bummer!
So we should wash our hands of the whole issue and say "we're not going to say anything about security because you might sue us. You're on your own"?
This is wierd. Lots of commerce gets conducted all the time over non-protected channels. In fact, a non-trivial amount of credit card traffic gets shifted over non-protected channels. Search on google for FORM and credit card number and you'll find lots of small merchants.
Yep. And it's not good.
Are you planning to set up a really big table in your UI that lists all the CAs and whether they are "commerce rated" or not?
Yep, just about.
What happens if they decide to issue an identity cert and a domain-control cert, under the same root?
See discussion in .crypto.
What happens if they convince you that it really is an identity cert, then wait until your UI is out there in its glorious millions, and then they switch to domain control? (Bait and switch, a favourite trick...)
Then we issue a security update either pulling their certs for bad faith, or changing the bits on it.
If you just printed out:
"GeoTrust issued this cert to that domain"
it would solve, completely, once and for all, everyone
of those above issues.
Apart from the one where the user says "so, can I put my credit card into this page or not?"
Gerv _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
