on www.example.com being squatted, the problem is the squatter does not get the private key, so yes it has a certificate with a public key, but everybody does... To use the certificate, he will have to regenerate a private key, which means a new certificate and expiring the old one. The question is, as all domain names are registered with credit cards, how much do you trust banks? Do we need more trust? Indeed there are a few problems with social engineering but, the game is to propose something, pass it through review of security experts and see if they can improove. SSLv1 was hacked during its first official presentation... Also, in my internet explorer there are a bunch of root certificates that I don't know about and if you send a e-mail to Microsoft they will add your root-CA to the windows update site that will push it to all Internet Explorer. Ideally, we should rate each CA in our applications and the application should give us a level of risk... Most of the time what we want is tracability. I have a problem with a site, then I look for who paid for the certificate and then get the card holder and then involve the police. I have someone to get hold of... What all CA out there are just doing is passing the buck and ensuring they can do it... Cheers. -----Original Message----- From: Christian Huitema [mailto:huitema@windows.microsoft.com] Part of the problem is that we are mixing to issues, i.e. "am I speaking to the server that is legitimely designated by the name www.example.com", and "am I speaking to the service that is supposed to manage my examples." Attaching certificates to names may solve the former; solving the latter requires that the user discovers in a trusted way the DNS name associated to the service. We know that there are many psychology-based attacks that can fool users to connect to use the wrong name; PKI certificates attached to the DNS name is not going to solve that. There is in addition an even more murky area, which is the validity of the binding over time. Some artists specialize in grabbing DNS names that their legitimate users fail to renew in time. Suddenly, www.example.com is not managing my examples anymore, it has become a gateway to a porn site. Yet, that porn portal has a perfectly valid and up-to-date PKI certificate. Amusing, isn't it? -- Christian Huitema
Attachment:
smime.p7s
Description: application/pkcs7-signature