If someone came into a bricks and mortar bank to ask for a loan, the loan officer may ask for identification and accept a drivers license as proof of identity. All the license provides is an assurance that a respectable (..uhem..) organization is asserting that reasonable steps have been taken to verify that the individual whose details are listed on the license are associated with the individual who looks something like the picture on the license. It says nothing about the financial responsibility of the individual and whether they would be a good credit risk.
Like the drivers license, the SSL certificate is just an identification mechanism - an important assurance in distributed networks - and that is all it is. This is the message we need to get across to joe public.
This example may be rather simplistic but hopefully it conveys the general idea. I don't think anyone would expect the DMV to do a credit check or make any assertion on a license about the credit worthiness of the holder. Niether should CAs be doing audits on companies that they issue SSL certificates to - other than to take reasonable steps (and publicly state what those steps are) to identify and authenticate the subject.
-Scott
Duane wrote:
David Ross wrote:
We are talking about MONEY and PRIVACY. How much risk are you
willing to take with these?
I'm inclined to agree with Ian here, while you're being distracted by flashy audits how many of those online shopping carts with a commercially issued certificate have their MS SQL database hacked and all the creditcards contained in it stolen? Shouldn't things be done to encourage security (as he said) as a whole, rather then be bogged down by one detail of it? This isn't just education of users, but poor programming practises with handling financial information on servers etc... Perhaps commercial CAs issuing certificates should take a more proactive approach and run basic audits themselves on who they are supposedly protecting... (Smoke and mirrors)
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
