the joy of "enhanced" certs

Peter Gutmann pgut001 at
Thu Jun 5 03:20:26 EDT 2008

"Perry E. Metzger" <perry at> writes:

>An object lesson in this just fell in my lap -- I just got my first email
>from a spammer that links to a web site that uses such a cert, certified by a
>CA I've never heard of ("Starfield Technologies, Inc.") Doubtless they sell
>discount "Enhanced Security" certs so you don't have to worry about paying
>more money either. I haven't checked the website for drive by malware, but I
>wouldn't be shocked if it was there.

There's another data source that's examined the effect of EV certs and browser
blacklists on a much larger scale, namely the APWG statistics.  They show an
essentially flat distribution for phishing from January 2007 to January 2008,
the period of phase-in of EV certs and the browser anti-phishing filters.  In
other words the attack stats show that the effect of EV certs was exactly as

(Hat tip to an APWG member who made this point during a conference talk

>I'm thinking of starting a CA that sells "super duper enhanced security"

So you could have EV certs, EEV certs, EEEV certs, EEEEV certs, a PKI
equivalent of the 'aptitude -v[v[v[v[v[v...]]]]] moo' trick.  Every couple of
years when people realise that the current level of (E^n)V certs work no
better than the (E^n-1)V certs that preceded them did, you add another 'E' and
everyone gets to pay again for a new set of certs.  The only potential problem
is that all the CAs would have to agree to add more E's in lock-step,
otherwise you'd get a tragedy-of-the-commons effect where the CA who adds the
most E's the quickest wins.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list