Xperex Tim wrote:
Even a free cert can easily verify that the email address is valid enough that somebody was able to use the acknowledgement key sent to it. That doesn't prove much, but it's more useful than you think.I don't really see the value of free certificates. If they are free that means that the CA can't be doing any identity checks. So any schmoe can get a certificate with your name on it and claim to be you.
As for "any schmoe can get a certificate with your name" - so what? I live in a college town, do you think it would be hard to get a fake ID with your name and address on it? With a bit more money, I could drive into the nearby large city and get a pile of papers showing that I'm you. One of the unintentional consequences of cracking down on illegal immigrants has been an explosion in identity theft and forged documents, and the bad guys you want those identity checks for can cover their tracks better than most checks can uncover.
Even on the corporate side, it's not that hard to get a list of corporate officers from the SEC and create a forged letter authorizing some action. That's how Verisign was tricked into issuing a Microsoft cert to an unauthorize person (IIRC).
The bottom line is that identification of people with strong reasons to remain mis-identified is, and will always be, a hard problem. Even a $300 cert fee can only give you a modest comfort level that the other party, if they really are bad guys, aren't totally incompetent bad guys. But this doesn't mean that minimal checks (e.g., verifying that the subject can receive mail at the address provided) are worthless.
(P.S., all of this goes out the window when you're talking about an organization issuing certs to its members/employees/students/whatever. That's the intent of my effort, with the totally free email-only certs piggybacking.)
Bear
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
