I want to disclose that I work for a commercial CA. I also want to make clear that like always in my postings here I am not representing my employer. My postings here are my opinion and my opinion is subject to change. I should also point out in case it's not obvious that I am not a lawyer so don't think I'm giving you legal advice because I'm not.
On 4/15/05, Gervase Markham <[EMAIL PROTECTED]> wrote: > Ian G wrote: > > Did you read their paper? They are claiming that the > > identity traceability is so unreliable that ... you > > can't rely on it. > > No, they are claiming that current verification methods are easily > enough spoofed that the identity data places in certs is so unreliable > that... you can't rely on it. Which is true. > > However, that does not preclude CAs doing better verification. Whether > they put the results of that into the cert, or just wait for my friendly > policeman to ring them up and ask for it, doesn't really matter. The fact is that the authentication practices and policies of various CAs differ. For example if my read of their recent paper is accurate, GeoTrust has taken the position that they do not attempt to associate a certificate enrollee with a particular legal entity through an identity authentication process. If I read Comodo's press release correctly, they have recently taken a different position - that issuing certificates without associating and authenticating the legal entity the site represents is a bad path to take. In the SSL space VeriSign offers certificates issued after a legal identity and domain control authentication process via both its brands (VeriSign and Thawte) and offers domain-control (no identity authentication) certificates via the Thawte brand. One could learn a good bit by studying the various forms of identity verification processes that have been around for years. Some examples worth looking at are notary public applicants, notary public function (witness), birth certificate, passport applicant, credit card applicant, home mortgage applicant, voter identification, driver's license application, social security card, library card. These vary by country and even within countries yet they are the history and foundation of legal identification. AFAIK none of these yet involve DNA samples (home mortgages in the US require finger print these days so I guess that's close) and yet all these systems work reasonably well, all things considered. I think it comes down to balancing the cost of each approach against its risks. Each of these authentication processes is tuned to its need. They evolve in practical ways in response to real successes and failures. Consider how many credit cards have been issued in the US - a large number indeed; the authentication process around these is very low (you may have read about a dog getting a credit card) and yet as far as I can tell the credit card associations, banks and card holders are not suffering from that low authentication level. The point I'm trying to make here is that requiring perfect authentication is one of two ways to easy ways to guarantee no authentication is available - the other obvious one being not trying to authenticate at all. Over the years VeriSign, like some other CAs, has strived to improve and tune its enrollment vetting process to match the real needs of the market and to address failures. The reality is there have been few failures to date and most of them received a good amount of press. It's not hard to imagine why there have been so few failures - the historic balance of authentication quality vs. benefit of fraud does not lend itself to fraud. As the value of having SSL certificates warrants the effort to attack the vetting process the criminals will do so and they will likely attack the weakest process first [an interesting exception to this is publicity stunts where the best known brand is the shiniest target]. I expect some CAs will back off of trying to do identity authentication while others will stick with it and will compete on authentication quality as well as price and brand recognition; this is an area where the browser providers can force the issue a bit by enabling this feedback loop especially by exposing the site's identity and the CA who did the authentication, but even without effort by the browser providers the press will pick this up once as it becomes a more practical concern. It looks to me that the market for commercial CA certificates is starting to mature given the massive adoption of the internet and consequently (and this shouldn't surprise economists nor security types) there is a segmentation of needs. The reason is simple - not every website has the same security concerns. Over the last few years some CAs have started offering authentication services without attempting to verify the identity of the enrollee (and hopefully leaving out any identity information from the certificate!). The upside is they can offer quicker turnaround and lower prices. The downside is that one can no longer rely on their authentication process to bind the website to a known legal entity. I am not a lawyer but as I understand it in the US (to take one example of man) the legal system has many mechanisms for providing justice and remedy for criminal or negligent behavior. The basic idea is to provide a system that enables people and companies to behave according to the values of the society they are in and to provide some assurance that every one else does too. By reducing the ability of a criminal to operate anonymously one empowers the society to enforce its values by enabling the traditional tools. I must admit that being in this industry for a while I am probably a bit more cautious that most but I will not pass my credit card information to a web-site that doesn't use SSL style authentication including a certificate that identifies them. ram _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
