On 12/3/2008 7:08 AM, John Levine wrote:
Bad guy gets an SSL cert...Stop! Not so easy.You're kidding, right? When's the last time you got an SSL cert? I happened to get one for my sister yesterday. I looked around to find out who's the cheapest, found someone selling them for $12.95 (servertastic.com), paid with a credit card which, since I am honest, was actually mine, clicked through on a URL in an email message sent to postmaster@<cert domain>, and got the signed cert, in a total of about five minutes. If I did it very often, I could easily have scripted it. This is the reality of Internet security today. In the cert biz, they now have "high security" green bar certs which roll the clock back to the price and somewhat more stringent investigation that all certs required a decade ago, but it's just a matter of time before those race to the bottom, too.
In every industry, there are vendors who compete solely on price, often at the expense of the quality of their products or services. Some CA's may issue certs to anyone with an apparently valid credit card number and a working email address; some require additional proof that the buyer is who he claims to be. In the long run, certs from CA's in the first group are likely to have less credibility than certs from CA's in the second group. At some point, some enterprising individual will build a CA reputation database and someone else will write a browser extension that will check the database whenever the browser encounters a cert. It will not be ubiquitous, just as the use of email sender reputation services is not ubiquitous, but it will provide useful information to those who choose to use it. The anarchical nature of the 'Net virtually guarantees that nothing will ever be deployed universally and simultaneously. Human nature guarantees that someone somewhere will attempt to thwart any technology that might make a significant dent in the spam problem. If universal simultaneous deployment and total infallibility are non-negotiable requirements for any proposal, then nothing will ever be done. -- Paul Russell, Senior Systems Administrator OIT Messaging Services Team University of Notre Dame prussell at nd.edu _______________________________________________ Asrg mailing list Asrg at irtf.org https://www.irtf.org/mailman/listinfo/asrg