Gervase Markham wrote:
Ian G wrote:
Why are you requiring that of GeoTrust? What happens
if they don't provide that service?
Then the browser UI I write doesn't mark their certs as "suitable for
commerce" :-)
That would be incomplete :) What you should say is that
"Gervase thinks GeoTrust certs are not suitable for commerce!"
Which would be accurate, but might get you locked up,
especially if you were in some country like Germany,
where it is illegal to make statements that downgrade
the competition.... (any German lawyers in the house?)
Or, what would be entirely accurate and fair and actually
useful to the user (shock, horror) is to say that
"GeoTrust issued this cert to this domain!"
Then, GeoTrust are going to have to ... back up their
good name. Some people think Verisign have the best
brand on the Internet, so surely GeoTrust can do it
too.....
GeoTrust are presenting "2nd Generation" automated identity checking as
being much better than "1st Generation" manual checking. I was raising
the point that it's no better if you still can't get any traceability
back to a real person.
Did you read their paper? They are claiming that the
identity traceability is so unreliable that ... you
can't rely on it. Literally what they are saying is
that any crook can get a cert to say anything in those
fields. And they showed some.
See, it's an impossibly high barrier: if any crook can
get a duff cert, it undermines the whole system. But
with 100++ CAs out there, there will always be a loose
system somewhere. So when some SSL cert gets used to
fleece a thousand innocent americans of their hard earnt
credit points then they come and sue *you* for saying
that the cert was good for commerce. Bummer!
If they are right, then the browser should say, according
to your metric, that "no cert is good for commerce"...
Shouldn't you be accepting GeoTrust's offering for what
it is that the offer?
Absolutely. If all they are doing is saying "I definitely issued this
cert to the person who actually controls the domain", then I'll mark the
connection as encrypted but not safe for commerce.
This is wierd. Lots of commerce gets conducted all
the time over non-protected channels. In fact, a
non-trivial amount of credit card traffic gets shifted
over non-protected channels. Search on google for FORM
and credit card number and you'll find lots of small
merchants.
Commerce is decidedly not "safe because I said so" or
the converse...
Are you planning to set up a really big table in your UI
that lists all the CAs and whether they are "commerce
rated" or not?
What happens if they decide to issue an identity cert
and a domain-control cert, under the same root?
What happens if they convince you that it really is an
identity cert, then wait until your UI is out there in
its glorious millions, and then they switch to domain
control? (Bait and switch, a favourite trick...)
If you just printed out:
"GeoTrust issued this cert to that domain"
it would solve, completely, once and for all, everyone
of those above issues. Otherwise, how are you going to
address all these?
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
