Gervase Markham wrote:
...I'm saying that we
need to assess certs according to how likely it is that we can trace the
cert back to a real individual, not as to how the data required for such
tracing was gathered.
OK, the answer to that is "reasonably likely" if
the person doesn't care, and "unlikely to very
unlikely" if the person doesn't want to be traced.
That would be the reality.
Even if there was a product that enabled us to
guaruntee that we could trace the person, and even
lay our hands on the person, we'd still be subject
to risk. The really common trick here is to pay
some poor person to stand in as a proxy; this is
endemic in rich countries where ID is strong like
Europe, the common trick is to find some alcoholic
who camps out behind the central railway station
and pay them E50 to borrow their ID for a few days.
For companies, it is even easier, because you can
create them on the fly... The only reason we don't
see it in the Certs world is because scammers don't
bother, they just bypass. But they will, soon enough.
In summary, my suggestion is that what you want - to
be able to trace the cert back to its owner - simply
isn't a reflection of reality in the case that you
really want to do that because the consumer got robbed.
It's only going to be reliable if it isn't a scam, in
which case that's not interesting.
The manual vetting process has
pretty much the same touch points (or fewer) - and the paper that was
presented for a manual, O field cert may be pretty worthless for
purposes of finding a fraudster if it was copied from a real
company's corporate filings in the public record, or is just the
paper for a phony shell corporation.
I certainly agree that faxed or even posted paper credentials don't
carry much weight. Good printers are cheap.
On that point, good looking IDs are cheap too, I
recently got a new library card and they use the
same photo-plastic Id printer as the people who
did my last driver's licence. I don't know how
easy it would be to drive a fake ID out of one,
but I would be surprised if it was hard.
Some might say "make manual vetting more vigorous", but then certs
might cost $1,000 or more (need corporate resolutions, contacts with
registered agent, site visit, review of financial statements to make
sure it is a "real" company and not a shell) along with subjective
judgments on which business entities are real and which are virtual
only. And of course, this would have to be repeated annually (and
maybe a process is needed to revoke the certificate mid-year if the
business is liquidated, etc.)
Sounds good to me. I'd certainly want my bank to have a cert that was
verified this much. $1,000 is small change to a bank. And I'd want my
browser to tell me so, so that anyone who wanted to pretend to be my
bank would have to go through the same process.
Right! And the only way it is going to tell you
all that is if it puts the name of the CA on the
chrome, along with something that differentiates
the nature of the product within the CA's suite
of root certs.
Literally, it will be a branded logo of the CA's
"platinum banking rated" certs as opposed to a
branded logo for the same CA with a "bronze entry
level merchant rated" cert.
In terms of what we know about users, there is no
other way to get that richness of information to
the user.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
