When a CA issues an SSL certificate, generally all they are asserting is that the public key in the cert relates to a private key owned by the subject and was requested by an individual authorized on behalf of the company responsible for the domain of the subject. That is what we need to educate users on. I don't think CAs can or should be responsible for anything other than this.
If someone came into a bricks and mortar bank to ask for a loan, the loan officer may ask for identification and accept a drivers license as proof of identity. All the license provides is an assurance that a respectable (..uhem..) organization is asserting that reasonable steps have been taken to verify that the individual whose details are listed on the license are associated with the individual who looks something like the picture on the license. It says nothing about the financial responsibility of the individual and whether they would be a good credit risk.
Like the drivers license, the SSL certificate is just an identification mechanism - an important assurance in distributed networks - and that is all it is. This is the message we need to get across to joe public.
This example may be rather simplistic but hopefully it conveys the general idea. I don't think anyone would expect the DMV to do a credit check or make any assertion on a license about the credit worthiness of the holder. Niether should CAs be doing audits on companies that they issue SSL certificates to - other than to take reasonable steps (and publicly state what those steps are) to identify and authenticate the subject.
So this is why identity fraud is starting to get out of hand then? :) Obviously they aren't doing their homework either... So if banks get it wrong so often, and I'm sure they are audited and held in a lot more regard then any CA.
If commercial CAs want to assert the idea about how much checking they do, how hard could it be to organise some company in bulk to do simple audits... "You SQL server is wide open, fix it and we'll issue you your certificate"... It's not as if the money charged by some CAs wouldn't cover these "incedental" expenses after all...
What good is auditing the CA if the weak link is after them?
-- Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
