On Tue, 27 Mar 2012 18:29:29 -0700 John Nagle wrote: > How can a free CA afford to validate its customers? >
Check out startssl.com. It's only a few cpu cycles to certify a domain via email or html file which is the only unforgeable level of cert. Yes security of the key needs to be paid for and by having one browser funded CA the costs would be tiny and benefits in security and auditing and time to fixes etc. etc. large. > The CA Browser Forum is tightening up standards. > The rules on certs change July 12, 2012, and will be much tighter > thereafter. There will be three levels of certs - "domain control > only", "organization validated", and "extended validation". > "Domain control only" is for blogs. Anything that takes a credit > card should have at least "organization validated". Financial > institutions should have EV. So. I'm guessing they are heading in the complete wrong direction and applying the greatest award of validation to the least secure methods of validation which only serve to causes a false sense of security and make criminals pay a few bucks for tricking customers to ignore the domain name. Would that be payment to the CAs by any chance. The browsers may as well make the money themselves if they are going to continue down this dumb road. I guess it's not that surprising as even PCI compliance actually forces OpenBSD servers to reduce the security of their password system. >Anything that takes a credit card should have at least "organization >validated". Can you actually think of a reason for that. Considering how little time and money it takes to set up a new organisation. Extended is next to useless too. And there are major down sides such as: False sense of security. Penalising and reducing market competition and so innovation succeeding. Users should be trained to research the domain or look for rating site signatures that use public reviewing. It's a lot more effort to fool these things, especially ranked on google than the cert levels which actually reduce domain trust checking. You don't walk into a shop and check it's a registered company and has an accountant and then leave your cash on the table (EV) whilst you browse the shop. There is more security in knowing where the shop is and what the owner looks like and whether others trust him or the brand (domain control). _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
