If CAs can't provide a reliable binding between a certificate and a real-world entity, then in my opinion they're pretty useless.
Others' opinions may differ. Simple binding of a cert to a domain name (without necessarily binding to a verified real-world identity) does provide a measure of security and is arguably sufficient for some real-world use cases.
(I'm sorry to say that i have little knowledge of what guarantees CAs currently make -- if any. I will try to learn more about this.)
Practices vary between CAs. As a real world example (picked because I have a domain registered with them and noticed this in their latest newsletter), Go Daddy offers two different types of SSL certificates, "TurboSSL" and "High-Assurance":
https://www.godaddy.com/gdshop/ssl/compare.asp
TurboSSL certs basically validate only ownership of the domain, while High-Assurance certs attempt to validate organization or individual identity.
(As a side note, Go Daddy offers free TurboSSL certs to open source projects:
https://www.godaddy.com/gdshop/ssl/ssl_opensource.asp
Note that these certs are issued by a Go Daddy-affiliated CA (Starfield Technologies) that is actually an intermediate CA under the Valicert Class 2 CA. Since the latter CA is in the Firefox root CA cert list, Go Daddy certs (whether TurboSSL or High-Assurance) should work fine in Firefox. (They should work fine in IE too, for the same reason, though I haven't tested this.) Also note that Go Daddy/Starfield has the "WebTrust Seal" (displayed on the page referenced above) and has passed a WebTrust for CAs audit (linked to from the WebTrust Seal page), probably at least partly as a consequence of Valicert having passed WebTrust.
So the bottom line is that "domain name only" certs are in common use, and at least in this case the CA in question is fulfilling the requirements of our current interim policy for putting CA certs in Firefox, as well as Microsoft's policy, which is basically "WebTrust or equivalent". The CA in question would also on the face of it appear to satisfy the requirements of our proposed "official" policy, which I'm currently working to finish and submit to the Mozilla Foundation for approval.
As to whether domain name-only certs are a "good thing" or a "bad thing", IMO this depends on the context. For more of my thoughts on this subject see my blog post announcing the latest draft 11 of the proposed Mozilla CA certificate policy:
http://www.hecker.org/mozilla/cert-policy-draft-11
I think the issue here is whether all possible uses of SSL should have to bear the burdens some might want to impose in the name of protecting against phishing.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
