the joy of "enhanced" certs

[Peter Gutmann]

"Perry E. Metzger" <perry at piermont.com> writes:

>An object lesson in this just fell in my lap -- I just got my first email
>from a spammer that links to a web site that uses such a cert, certified by a
>CA I've never heard of ("Starfield Technologies, Inc.") Doubtless they sell
>discount "Enhanced Security" certs so you don't have to worry about paying
>more money either. I haven't checked the website for drive by malware, but I
>wouldn't be shocked if it was there.

There's another data source that's examined the effect of EV certs and browser
blacklists on a much larger scale, namely the APWG statistics.  They show an
essentially flat distribution for phishing from January 2007 to January 2008,
the period of phase-in of EV certs and the browser anti-phishing filters.  In
other words the attack stats show that the effect of EV certs was exactly as
expected.

(Hat tip to an APWG member who made this point during a conference talk
recently).

>I'm thinking of starting a CA that sells "super duper enhanced security"
>certs

So you could have EV certs, EEV certs, EEEV certs, EEEEV certs, a PKI
equivalent of the 'aptitude -v[v[v[v[v[v...]]]]] moo' trick.  Every couple of
years when people realise that the current level of (E^n)V certs work no
better than the (E^n-1)V certs that preceded them did, you add another 'E' and
everyone gets to pay again for a new set of certs.  The only potential problem
is that all the CAs would have to agree to add more E's in lock-step,
otherwise you'd get a tragedy-of-the-commons effect where the CA who adds the
most E's the quickest wins.

Peeeeeeeter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com