> Frank Hecker: > > Eddy Nigg (StartCom Ltd.) wrote: > > > >> Issuing certificates which claim to be validated without > such vetting > >> ever having performed is tantamount to KNOWINGLY and WILLINGLY > >> contribute to a possible fraud. I claim that issuing wild card > >> certificates without proper vetting as described above > equals the same. > >> > > > > I don't have much to add to Nelson's comments, so I'm just going to > > summarize my opinion on the issue of wildcard certs and domain > > validation: Your points about the potential for fraud are > well-taken, as > > is your point about having an identified entity to pursue > in the event > > of fraud. > OK > > However as I see it these points apply equally as well to > > vanilla DV certs (i.e., for a single domain name) as they > do to wildcard > > DV certs. > > > Not really. Let me try this again with an example (wearing my > obligatory > costume as envisioned by Nelson ;-) ). > > Subscriber requests a certificate for paypal.domain.com. > > Would such a SSL secured site for this specific domain foul many > visitors? [yes] > Does this domain name present a potential risk? [yes] > Does the CA know upfront about its potential (mis)use? [yes] > Can the CA intervene in the process before issuing a certificate for > this domain? [yes] > Can the CA visit the corresponding site and verify its > content? [yes] > Can the CA revoke the certificate immediately? [yes] > > > However now the subscriber requests a certificate for *.domain.com: > > Can such a certificate be potentially used to foul many > visitors? [yes] > Can the domain name present a potential risk? [yes] > Does the CA know upfront about its potential (mis)use? [no, > there is > none at this stage] > Can the CA intervene in the process before issuing a certificate for > this domain? [no, there is no reason to intervene] > Can the CA visit the corresponding site and verify its > content? [no, > it doesn't know which sub domain will be potentially used and when] > Can the CA revoke the certificate immediately? [no, only > after a fraud > has been committed already and brought to the attention of the CA] > > The points above don't equally apply! IV reduces the risk greatly for > wild card certificates, compared to DV only. > > > When we created our CA policy the rough consensus was that > DV certs have > > a valid place in the grand scheme of things. > Correct, we have agreed on that already. > > Given that, I think > > wildcard DV certs are just as valid. > I don't agree, see above. They are only technically valid, > but of course > you can disagree with me. > > Such certs may not be suitable for > > legitimate ecommerce purposes, but that's what EV certs are for. > IV/OV certificate may be legitimate as well. It's the > standard applied > and distinction in the browser which makes them different. :-)
I'd also like to add my two cents from some time spent studying "confusable" domain names that could be used for fraud. The solution, IMO, if one can be crafted, must be done upstream at domain name registration time. If a domain name has been lawfully purchased, and none of the CA's vetting fails (company is legit, company owns the domain name, etc.) the CA has no grounds for refusing to issue a cert. It would be like a car salesman refusing to sell me a car because he thought I was going to use it in a crime. -Rick -- Rick Andrews __o Phone: 650-426-3401 VeriSign, Inc. _ \>,_ Fax: 650-426-5195 487 E. Middlefield Rd. ...(_)/ (_) URL: www.verisign.com Mountain View, CA 94043 email: [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
