It is not easy to decide what makes for a dodgy
cert and what does not. Here's a case of an
apparent anti-Virus tool that is being sold under
false pretenses.
http://www.edbott.com/weblog/archives/000496.html
(It looks like paid spyware to me ...)
The blog investigator dug deeper and found that
the cert they were using was issued to ChoicePoint.
Whether Choicepoint are involved or not is not
clear, as this is a very murky case.
I think this highlights that it is simply not
possible to not issue dodgy certs. There is
nothing a CA can do, nor MF can do, to guaruntee
no fraud, and no failures. Piling in more and
more restrictions doesn't help; as, if the money
is there to be stolen, procedures are easy to
breach.
About the only thing that is likely to help in
cases like these is reputation. ChoicePoint has
lost a lot of market value (5%?) from the recent
episode, and in future users aren't going to be
that happy about their cert. That information
needs to be displayed.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
