Obviously, I can see the point of issuing email certs based on an email address ;-) But I think issuing any sort of SSL server cert without some sort of audit trail which allows you to track down the person responsible for the server is a bad idea. And if existing CAs are doing it, they should be encouraged to stop.
Another quick comment, not specific to CAcert but just a general comment about the role of CAs in relation to phishing:
IMO the issue of authenticating the identity of certificate applicants is to a large degree orthogonal to the issue of preventing phishing attacks based on misleading domain names. It's perfectly possible to imagine a CA granting an SSL certificate to a company with a misleading domain name (i.e., designed to be confused with a more well-known domain name) based on documents being provided that appear to validate that the company in question actually exists and owns the domain in question. I don't think a CA would be violating either its own policies or the WebTrust criteria by doing so, and it's certainly possible to imagine CAs "looking the other way" in accepting and approving such certificate requests. (It's similar to the problem of domain name registrars issuing confusing domain names in the first place.)
For that matter, based on my reading of the WebTrust criteria, I don't believe that they actually require "strong" authentication of the identity of certificate applicants. IIRC the criteria require simply that the CA authenticate applicant identity in conformance with its stated Certificate Policy and Certification Practices Statement, and the CP and CPS could conceivably specify fairly "weak" authentication. The onus would then be on the person actually encountering the certificate (e.g., the Mozilla user surfing to an SSL-enabled site) to verify that the level of authentication is sufficient for theiri purposes. (This is formalized in the CA's Relying Party Agreement, which is analogous to an EULA in some ways.) This is how WebTrust-audited CAs "get away with" offering individual certificates based solely on authentication via email, and I don't see why this wouldn't apply to SSL server certificates as well.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list mozilla-crypto@mozilla.org http://mail.mozilla.org/listinfo/mozilla-crypto
