Let me respond to a couple of good points in the prior string. On the question of which type of cert (manual, O field certs or automated CN field certs) would give a defrauded consumer the greater chance of finding the fraudster: GeoTrust's automated vetting ends up with about the same number of verifiable identity touchpoints with a site owner as manual vetting does. We have confirmed domain name, WhoIs data, verified phone number (so we can trace back through phone company records), and credit card used to purchase the automated cert (we can track back that way as well). The manual vetting process has pretty much the same touch points (or fewer) - and the paper that was presented for a manual, O field cert may be pretty worthless for purposes of finding a fraudster if it was copied from a real company's corporate filings in the public record, or is just the paper for a phony shell corporation. You have about as much chance of finding the fraudster in both cases. And the automatic vetting also has a lot of behind the scenes fraud algorithms applied to prevent the issuance in the first place, so I'd argue it may be stronger.
Second, on the value of manually vetted certs. My paper doesn't say all manually vetted certs are bad in the O field - it's probably relatively accurate in 90 percent of cases, maybe more. But it is (or can be) definitely wrong in 1 or 2 percent of cases, or more. That is a perfect phishing environment if consumers believe the field is accurate and can be used for trust decisions. I've simply come to the conclusion that the manually vetted certs are not worth the extra time and money of shuffling paperwork, because they don't add value in determining actual business identity data that is strong enough to be the basis for trust decisions. Some might say "make manual vetting more vigorous", but then certs might cost $1,000 or more (need corporate resolutions, contacts with registered agent, site visit, review of financial statements to make sure it is a "real" company and not a shell) along with subjective judgments on which business entities are real and which are virtual only. And of course, this would have to be repeated annually (and maybe a process is needed to revoke the certificate mid-year if the business is liquidated, etc.) A lot of small businesses would just drop SSL in response. I'd rather have SSL be cheap and ubiquitous, and also display verified third party reputation and performance data for the business by tying it to the only unique, certain attribute in a cert - the CN field showing fully qualified domain name. Kind of like the eBay model for sellers whose identities are otherwise not verified. Put another way, I'd rather put my trust in a site that had never been verified as to its corporate identity but that has lots of positive reputation and performance data from other consumers than in a site that's had its business identity verified but has no consumer reputation and performance data from other consumers attached - could be a new, phony site set up for phishing. _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
