Scott Rea wrote:I totally agree with what you are saying - and maybe there is a business opportunity in there.... a CA could issue 2 types of SSL certs - 1) based around the current model that simply asserts the identity of the server; 2) that additionally asserts that the company has passed some sort of cursory security audit surrounding the server. But then how far do you expand the realm of that audit?? Who cares if the server is locked down tighter than a banker's wallet if as you say the SQL back end is more open than Janet Jackson's bodice....
When a CA issues an SSL certificate, generally all they are asserting is that the public key in the cert relates to a private key owned by the subject and was requested by an individual authorized on behalf of the company responsible for the domain of the subject. That is what we need to educate users on. I don't think CAs can or should be responsible for anything other than this.
If someone came into a bricks and mortar bank to ask for a loan, the loan officer may ask for identification and accept a drivers license as proof of identity. All the license provides is an assurance that a respectable (..uhem..) organization is asserting that reasonable steps have been taken to verify that the individual whose details are listed on the license are associated with the individual who looks something like the picture on the license. It says nothing about the financial responsibility of the individual and whether they would be a good credit risk.
Like the drivers license, the SSL certificate is just an identification mechanism - an important assurance in distributed networks - and that is all it is. This is the message we need to get across to joe public.
This example may be rather simplistic but hopefully it conveys the general idea. I don't think anyone would expect the DMV to do a credit check or make any assertion on a license about the credit worthiness of the holder. Niether should CAs be doing audits on companies that they issue SSL certificates to - other than to take reasonable steps (and publicly state what those steps are) to identify and authenticate the subject.
So this is why identity fraud is starting to get out of hand then? :) Obviously they aren't doing their homework either... So if banks get it wrong so often, and I'm sure they are audited and held in a lot more regard then any CA.
If commercial CAs want to assert the idea about how much checking they do, how hard could it be to organise some company in bulk to do simple audits... "You SQL server is wide open, fix it and we'll issue you your certificate"... It's not as if the money charged by some CAs wouldn't cover these "incedental" expenses after all...
What good is auditing the CA if the weak link is after them?
-Scott
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
