>On Wed, Feb 16, 2005 at 04:34:27PM -0800, David Schwartz wrote:
>
>
>> I'm not assuming anything, I'm making an argument why it would be
>>self-destructive for any CA to adopt such a strategy. That doesn't mean they
>>won't do it, people certainly do stupid things when they think they can get
>>away with it. But the fact is, CAs can't get away with it. So if they think
>>they can, they will quickly be proven wrong.
>>
>>
>
>Quickly? When Verisign issued in 2001 a certificate for "Microsoft" to
>somebody who simply said he was a Microsoft employee, and they didn't
>do any check about the identity of the person, what happened?
>
>Nothing. Except issuing a couple of "oops" certificate revocations.
>
>I can't even find a public announce by Verisign stating they would take
>actions to correct their own validation procedures and avoid repetition
>of the incorrect (and for a public CA, inexcusable) behaviour. Everybody
>here hopes they fixed their procedures... but no one even knows.
>
>
>
I, too, would be interested in some kind of "lessons learned"-document,
describing why this could happen at all - and how Verisign wanted to
avoid it in the future.
It's really a pitty that the root-CAs in browsers haven't been subject
to more public scrutiny - now and back then.
>On Wed, Feb 16, 2005 at 04:34:27PM -0800, David Schwartz wrote:
>
>
>> I'm not assuming anything, I'm making an argument why it would be
>>self-destructive for any CA to adopt such a strategy. That doesn't mean they
>>won't do it, people certainly do stupid things when they think they can get
>>away with it. But the fact is, CAs can't get away with it. So if they think
>>they can, they will quickly be proven wrong.
>>
>>
>
>Quickly? When Verisign issued in 2001 a certificate for "Microsoft" to
>somebody who simply said he was a Microsoft employee, and they didn't
>do any check about the identity of the person, what happened?
>
>Nothing. Except issuing a couple of "oops" certificate revocations.
>
>I can't even find a public announce by Verisign stating they would take
>actions to correct their own validation procedures and avoid repetition
>of the incorrect (and for a public CA, inexcusable) behaviour. Everybody
>here hopes they fixed their procedures... but no one even knows.
>
>
>
I, too, would be interested in some kind of "lessons learned"-document,
describing why this could happen at all - and how Verisign wanted to
avoid it in the future.
It's really a pitty that the root-CAs in browsers haven't been subject
to more public scrutiny - now and back then.
cheers,
Rainer
--
===================================================
~ Rainer Duffner - rainer (at) ultra-secure (dot) de [email concealed] ~
~ Freising - Munich - Germany ~
~ Unix - Linux - BSD - OpenSource - Security ~
~ http://www.ultra-secure.de/~rainer/pubkey.pgp ~
===================================================
[ reply ]