Actually, I don't expect anything beyond that. If you read the
actual "WebTrust Program for Certification Authorities", you will
see that an accredited CA verifies that the purchaser is who he
says he is and that the CA signing key is kept secure to avoid
issuing unauthorized or unverified server certificates, both of
which are very important now that such frauds as "phishing" are
growing. A third-party audit serves to verify that the CA does
indeed exercise care when issuing server certificates. Nothing in
the WebTrust process involves having the CA verify the business
practices of the owners of server certificates issued by CAs.
Ummm last time I checked most phishing scams didn't bother with SSL, and in fact they even hosted them on geocities and exploited bugs in IE. Fact is most people don't care, they are sheeples, following instructions in an email, which is why MyDoom had such a huge impact, it didn't exploit any computer related bugs, it exploited people related flaws, who needs security when you can simply hack the people in mass quite easily instead. Attackers are interested in maybe one or two credit card numbers, they want banks full of them.
-- Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
