Using crypto against Phishing, Spoofing and Spamming...
Ian Grigg
iang at systemics.com
Sat Jul 10 19:26:06 EDT 2004
Florian Weimer wrote:
> There are simply too many of them, and not all of them implement
> checks for conflicts. I'm pretty sure I could legally register
> "Metzdowd" in Germany for say, restaurant service.
This indeed is the crux of the weakness of the
SSL/secure browsing/CA system. The concept
called for "all CAs are equal" which is an
assumption that is easily shown to be nonsense.
Until that assumption is reversed, the secure
browsing application is ... insecure. (I of
course include "no CA" and "self-signed certs"
within the set of "all CAs.")
The essence of any fixes in the browsers should
be to address the (rather fruitful) diversity
amongst CAs, and help the user to make choices
amongst the brands of same.
Some CAs are more equal than others... and the
sooner a browser recognises this, the better.
>>These bodies could issue logo certificates.
>
>
> These certificates would only have value if there is extensive
> verification. We probably lack the technology to do that cheaply
> right now, and the necessary level of international cooperation.
I'm not sure I understand how logo certs would
work, as there is still the possibility of same
being issued by CA-Nigeria and having remarkable
similarity to those issued by USPTO.
Until the CA is surfaced and thrust at the face
of the user, each browser's 100 or so root CAs
will be a fundamental weakness. Including of
course the absence of CA, which is something
that is nicely hidden from the user.
iang
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list