the joy of "enhanced" certs

[Perry E. Metzger]

As some of you know, one can now buy "Enhanced Security" certificates,
and Firefox and other browsers will show the URL box at the top with a
special distinctive color when such a cert is in use.

Many of us have long contended that such things are worthless and
prove only that you can pay more money, not that you're somehow more
trustworthy.

An object lesson in this just fell in my lap -- I just got my first
email from a spammer that links to a web site that uses such a cert,
certified by a CA I've never heard of ("Starfield Technologies, Inc.")
Doubtless they sell discount "Enhanced Security" certs so you don't
have to worry about paying more money either. I haven't checked the
website for drive by malware, but I wouldn't be shocked if it was
there.

I'm thinking of starting a CA that sells "super duper enhanced
security" certs, where we make the company being certified sign a
document in which they promise that they're absolutely trustworthy.
To be really sure, we'll make them fax said document in on genuine
company letterhead, since no one can forge letterhead.


Perry
-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com