OK, the answer to that is "reasonably likely" if the person doesn't care, and "unlikely to very unlikely" if the person doesn't want to be traced. That would be the reality.
That doesn't necessarily have to be true. Let's take a reasonably extreme example, but it illustrates the point.
What if getting a cert involved a representative of the CA coming round to your head office sometime during the week, noting the activity going on, interviewing the boss and making sure they owned the website and really wanted a cert for it?
In order to fake that, you'd need a temporarily-rented building, fake employees and office furniture for the week, and everything possible to make it look as if it was a real operation.
Of course, we need to work on the problem from both ends - increase the cost of faking it, and reducing the payback from success. So, if you did all this, but the cert you obtained was revoked within hours of your first phishing scam using OCSP, then it wouldn't be worth it. So you wouldn't bother.
Note that I'm not necessarily suggesting this as a mandatory company identity verification scheme! But I'm proving the point that it's possible to have verification which you can trace back to a real person or company.
Literally, it will be a branded logo of the CA's "platinum banking rated" certs as opposed to a branded logo for the same CA with a "bronze entry level merchant rated" cert.
Great. 300 logos to learn instead of 100.
Gerv _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
