Re: [TLS] Eleven out of every ten SSL certs aren't valid

[Peter Gutmann <pgut001@cs.auckland.ac.nz>]

Marsh Ray <marsh@extendedsubset.com> writes:
>On 06/30/2010 11:41 AM, Martin Rex wrote:
>>
>> Recoloring a part of the browser toolbar is a feature developed
>> by marketeers.  Unless it is clearly defined how things should
>> work with protocols (rfc-2818 or draft-saintandre-tls-server-id-check)
>> this approach is going to create new problems, because it completely
>> ignores programmatic clients.
>
>Not only that but it's "opt-in" validation on the part of the guy 
>running the server (be they legitimate or attacker). I kinda thought it 
>was the job of the CA to do their due diligence in authenticating the 
>applicant all along, so now charging an applicant extra for the 
>privilege of being thoroughly authenticated does not enhance their 
>credibility in my view. 

It's even worse than that.  Here's Verisign's authentication requirements for
businesses.  One is from the 1.0 CPS, which was going to Solve the Problem
fourteen years ago.  The other is from the 2008 EV-cert CPS, which is going to
Solve the Problem today.  Without going out to check, see if you can tell
which is which.  I've harmonised the style and wording a bit since it's
otherwise possible to make a pretty good guess based on the form of the text,
the current CPS has way more legalese:

  Where required, the third party confirms the business entity's name,
  address, and other registration information through comparison with third-
  party databases and through inquiry to the appropriate government entities.
  Confirmation of information of companies, banks, and their agents requires
  certain customized (and possibly localized) procedures focusing on specific
  business-related criteria (such as proper business registration). The third
  party also provides telephone numbers that are used for out-of-band
  communications with the business entity to confirm certain information (for
  example, to confirm an agent's position within the business entity or to
  confirm that the particular individual listed in the application is in fact
  the applicant). If its databases do not contain all the information
  required, the third party may undertake an investigation, if requested by
  the IA, or the certificate applicant may be required to provide additional
  information and proof.

  The third party must be a legally recognized entity whose formation included
  the filing of certain forms with the Registration Agency in its
  Jurisdiction, the issuance or approval by a Registration Agency of a
  charter, certificate, or license, and whose existence can be verified with
  that Registration Agency, and must have a verifiable physical existence and
  business presence.  If the third party represents itself under an assumed
  name, VeriSign verifies the third party's use of the assumed name.

The only difference I can see is that one CPS exhaustively itemises the
various bits and pieces that are checked whereas the other gives it in general
terms, I've left out the list itself because it'd make this a five-page
posting with not a lot more content.  If you want to see the verification
requirements for yourself, they're in section 5.1.3 (old CPS) and Appendix B1
5(c) with an almost-identical copy at 14(C) with more detail in sections that
follow (new CPS).

So all this is doing is turning the clock back 14 years, with pricing to
match.  This is why a financial cryptographer summarised EV certs as "Doing
more of what we already know doesn't work".

Peter.