...and there's a white paper which goes into more depth. http://geotrust.com/resources/white_papers/pdfs/SSLVulnerabilityWPcds.pdf
Hey Ian, they read your blog :-) See the footnote to page 11 (page 13 in the PDF).
Note that the Geotrust paper basically contradicts the thrust of the TechWorld article Ian previously referenced ("SSL 'security' aiding online fraud"). The story is promoting the position that domain-validated SSL certs are bad, and hence only identity-validated certs should be used, while the Geotrust paper is promoting the idea that non-domain identity info in certs is inherently unreliable and that using domain-validated certs can be a perfectly reasonable decision.
It's interesting to see discussion heating up around the topic of CAs and their roles, and of course this is all useful background for future decisions we might make regarding browser UI.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
