True, though this is something we would *like* CAs to do. I don't really trust them to do it, but isn't that ideally supposed to be part of their job?
I don't know of any document that says that CAs must check company names to ensure they are unique, nor do I know of any mechanism by which they might even be able to do such a check.
If CAs can't provide a reliable binding between a certificate and a real-world entity, then in my opinion they're pretty useless.
They can. They just can't provide a *unique* binding between a short string of almost-arbitrary text and a real-world entity.
The user may or may not have typed in the domain name they see in the status bar, depending on a variety of things. But maybe i should scale down my claim (from "much more familiar") and just say that users and our legal system have more experience dealing with company names than with domain names. There's an established legal mechanism for dealing with confusingly similar company names; such mechanisms for domain names are missing or much less mature.
Actually, the domain name dispute resolution policy is fairly harsh about names which are registered to try and appear to be other people. Some people don't like this, but it's very useful for our purposes here.
Many users would object more to a Government CA than any other sort.
Okay, sure. But would you agree with the statement that it would be better not to expect users to place trust in CAs they don't know?
I'm not sure what alternative there is.
And would you agree that most users don't know most of the CAs they are currently relying on?
That's true. They trust them because they trust us (they installed our software) and we trust them.
No, the public key is all that is necessary. If i establish an SSL connection with you and i can verify your public key, i know for sure that i'm talking to you (unless you have given away your private key).
You can certainly be sure you are talking to the same person you were talking to last time, yes. You can't be certain that it's me - and that's where what the cert says comes in.
Gerv _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security