the joy of "enhanced" certs
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Thu Jun 5 03:20:26 EDT 2008
"Perry E. Metzger" <perry at piermont.com> writes:
>An object lesson in this just fell in my lap -- I just got my first email
>from a spammer that links to a web site that uses such a cert, certified by a
>CA I've never heard of ("Starfield Technologies, Inc.") Doubtless they sell
>discount "Enhanced Security" certs so you don't have to worry about paying
>more money either. I haven't checked the website for drive by malware, but I
>wouldn't be shocked if it was there.
There's another data source that's examined the effect of EV certs and browser
blacklists on a much larger scale, namely the APWG statistics. They show an
essentially flat distribution for phishing from January 2007 to January 2008,
the period of phase-in of EV certs and the browser anti-phishing filters. In
other words the attack stats show that the effect of EV certs was exactly as
expected.
(Hat tip to an APWG member who made this point during a conference talk
recently).
>I'm thinking of starting a CA that sells "super duper enhanced security"
>certs
So you could have EV certs, EEV certs, EEEV certs, EEEEV certs, a PKI
equivalent of the 'aptitude -v[v[v[v[v[v...]]]]] moo' trick. Every couple of
years when people realise that the current level of (E^n)V certs work no
better than the (E^n-1)V certs that preceded them did, you add another 'E' and
everyone gets to pay again for a new set of certs. The only potential problem
is that all the CAs would have to agree to add more E's in lock-step,
otherwise you'd get a tragedy-of-the-commons effect where the CA who adds the
most E's the quickest wins.
Peeeeeeeter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list