Ben Bucksch wrote:
*sigh* We had that. I just knew people would pick on that sentence. Yes,
I understand the political dimension. I just don't *know* how the US
ensures that passports are not issued to the wrong person or with wrong
names, but I'm pretty sure the DHS *does* make sure of that. So, either
use ID cards, which a lot of countries have and can be used easily and
safely, or the passport, which is not usually considered a threat to
civil liberties, and exists *everywhere* in the world. (And I think we
discussed enough the fact that a some US people don't have one.)
Or some other reliable way, depending on the country. Basically, you
need a signature that will hold up in court. Do ***what. ever*** is
appropriate in your country.
And for vetting individuals, I'm sure something like this will be done.
But it's not appropriate for businesses and corporations. Why should
some poor person at Microsoft have to have his personal details encoded
into all their certificates? And he's not going to be the responsible
one anyway. There are laws which make corporations into virtual persons
for a reason.
ask him the question in person rather than over the phone doesn't seem
to me to be any more secure.
While "in person" certainly helps, that was not the point, rather the
verified signature. There are a number of weaknesses in using the phone:
* How to get the phone number (discussed enough)
* Intercepting calls. The whole SSL thing is about preventing
interception of communication. How can you claim it's not a significant
threat, esp. during the most important - and one time - verification
phase, I don't know. Intercepting phone may or may not be harder than
Internet, but intercepting VoIP (which many people and companies and
whole countries are using or starting to use) is probably even *easier*
than intercepting email, due to more indirections and channels.
But you have to know exactly when the CA is going to call.
* Social engineering, like imitating voices, calling the reception from
outside, claiming to be Fred on travel, and asking to have all calls
routed to some other number.
Again, you have to know when the CA is going to call.
And intercepting VoIP may be "easy", but it's yet another thing you have
to set up and do manually per cert you are trying to obtain. Where have
we got to so far? You need to bribe the mail boy, set up a VoIP tap, ...
I really don't see this "obvious" pattern of terrible CA behaviour
that people seem to think exists.
Well, what made us talk about EV in the first place?
Why is the 'cert holder' field complete crap in current certs?
The Cert holder field is unverified in many current certs due to market
forces. If I'd been running a CA, I'd probably have done the same. EV is
a way to use market forces to drive things in the right direction.
I believe we are doing either:
Foo Boot and Shoe Corp dba. Clark's Shoes
(with dba standing for Doing Business As)
or
Clark's Shoes, xxx Foo Boot and Shoe Corp.
(with xxx standing for some abbreviation which means the reverse of dba).
They should definitely be separate fields.
I think there may be technical issues with that. But we can suggest it.
Both for general format
design, and because the "dba" won't be understood *at all* by non-US/UK
people, and probably not even the concept. I would have thought "dba" is
a form of corporation like "Inc." or "GmbH", so not even looked it up. I
was very confused first time I saw it, even though I had context.
They might be using brackets. Again, I'd need to check the document.
Gerv
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
