Ben Bucksch wrote:
(You *may* be thinking of DV (Domain Validation) and Class 1 SSL
certs. These are indeed insecure and make SSL a joke. They were a
really bad idea and that is one of the reasons behind EV.)
Ben, the reason behind EV (or any higher verification in that respect)
is about the *identity validation*, which is non-existent in domain
validated certificates. However please backup your claim, that domain
validated certificates in relation to DNS spoofing are insecure. Or even
better, I invite you or anybody else with knowledge on the subject to
create a certificate for microsoft.com at our CA
(https://cert.startcom.org/?app=101&type=1 Direct link to Class 1 certs
at StartCom). If you succeed, I believe you, else the claim is not valid.
The problem is *not* the domain validation really, but the fact that the
identity behind the domain is not validated - two completely different
things really!
Assuming no DV/Class1 crap, SSL indeed solves the insecure DNS
problem, as Heikki stated.
Therefore even if Verisign is issuing an EV cert for themselves, you
can not be assured that the cert hasn't been stolen and the DNS altered
I guess they use them for testing and promotional reasons, same as
StartCom uses Class 3 and Class 1 for its own web sites.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security