[EMAIL PROTECTED] wrote:
>
> the current SSL domain name infrastructure supposedly exists because of issues
> with trusting the domain name infrastructure ... except the SSL domain name
> certificate issuer has to trust the same (untrusted) domain name infrastructure
> when issuing a certificate (i.e. the SSL domain name certificate is no better
> than the authentication authority that the certificate authority has to rely on
> as the final arbitrator of domain name ownership).
>
> one of the integrity issues with the domain name infrastructure ... is that
> domain names have been hijacked ... once hijacked ... you can go to certificate
> authority and get a certificate with that domain name (and the certificate
> authority will check with the domain name system and confirm that the requester
> owns the domain name).
The difference is that a CA _also_ binds the certificate to a legal
entity. When the fraud is discovered, the identity of the fraudster is,
too.
[I see you've never paid attention to how easy it is to get a
certificate, Ben. I suspect I could get one in the name of any company
with about 20 minutes of unskilled forgery. The level of checking done
is trivial. This wouldn't be a problem except for the fact that all
CAs disclaim any and all liability for practical purposes. --Perry]
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
