I've been looking at the GeoTrust papers, and I'm struck by two things: 1) There are multiple CAs with 'authority' (granted by the Mozilla Foundation, by including their root certificates with the distribution) to issue certificates, and they do not coordinate their actions;
2) each of the cases that GeoTrust asserts as failing examples relies on a trademark infringement. The first thing is a contributor to all of this trouble. There's no "industry best practices" that the industry has had the chance to go over and refine; instead, they're all working from the ANSI/WebTrust/standards-body ideas of how CAs should behave, without revision and without oversight. I'm surprised it took as long as it did to have problems. The second thing, though, is a legal argument, and one that deserves more rational analysis. In the US (at least; I don't know anything about international law as relates to trademarks, tradenames, et al), banks and insurance companies file their trademarks under Class 36, and telecoms file their trademarks under Class 38. These are the two (along with Class 45, "personal services", if "providing a credit report" is a function of a personal service) that seem to be most likely subject to phishing attacks. (Though, to be fair, Class 42 seems to be where the entire concept of 'phishing' began -- trying to get account keys and usernames/passwords illegally.) (Reference: http://www.uspto.gov/web/offices/tac/tmfaq.htm#Application018 , "What are the different classes of goods and services?") Why don't CAs have sub-CAs based on the class of the trademark that has been granted on the name? (Trademarks often take over a year to process through the USPTO, but a 'no current trademark registered' sub-CA could be used for that.) This would allow for determination of what class of business the name is certified for, and a UI enhancement that would thus prevent the GeoTrust attack of "Chase Ferries" being UI-same as "Chase Bank". It would seem to me that the class of threat that GeoTrust exposed was "right to use the name". Just some thoughts. Cordially, Kyle Hamilton _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
