-------- Original Message -------- Subject: Re: $90 for high assurance _versus_ $349 for low assurance Date: 16 Mar 2005 23:17:59 -0000 From: John Levine <[EMAIL PROTECTED]> Organization: I.E.C.C., Trumansburg NY USA To: [email protected] CC: [EMAIL PROTECTED]
John, thanks for this fascinating report!
Conclusion? `Not all CAs/certs are created equal`... therefore we should NOT automatically trust the contents of every certificate whose CA appears in the `root CA` list of the browser.
Although some certs make more intrusive checks, it all strikes me as security theater. In particular, although some of them make some effort to verify that I am who I say I am, I don't see any of them making any effort to verify that my web sites are what they say they are. It would be an interesting experiement to register, say, PAYPAL-VERIFICATION.COM (which is available) with my own info in WHOIS, then apply for a cert from Verisign saying that it's me, and see if they ask if I'm Paypal. My guess is that they wouldn't.
Treating CAs differently would be a fine idea if there were a real difference, but $300 or $1000 still isn't anywhere close to what it would cost to do a meaningful investigation of someone's identity.
I've been proposing for a while that we try industry-specific branded certs. The branding would put a logo in the signing cert (there's already a field for it) and adjust browsers to display the signing cert's logo in a place where users can't put anything else, e.g., the corner that usually displays the IE "e" or Firefox bat. Industry specific means that the certs would be issued by a regulator or industry association who already knows who the legitimate entities are, such as the FDIC for banks in the US, so there's no extra step of introducing the certified parties to the certifier.
The point of branding the signer is that you then have a single brand that you want to tell people to look for, e.g. "Would you bank at an office without the FDIC logo in the window? Look for the same logo on your bank's web site."
There remain some issues, notably how you keep fake signing certs out of computers of people who will click the OK box in a window that says "Harvest all your account numbers and steal all your money?" But it seems to me a reasonable approach to more credible online identity for often-faked targets.
Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor "More Wiener schnitzel, please", said Tom, revealingly.
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
-- News and views on what matters in finance+crypto: http://financialcryptography.com/ _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
