[125349] in cryptography@c2.net mail archive
Re: the joy of "enhanced" certs
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Thu Jun 5 10:20:21 2008
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: cryptography@metzdowd.com, perry@piermont.com
In-Reply-To: <87ve0p6krz.fsf@snark.cb.piermont.com>
Date: Thu, 05 Jun 2008 19:20:26 +1200
"Perry E. Metzger" <perry@piermont.com> writes:
>An object lesson in this just fell in my lap -- I just got my first email
>from a spammer that links to a web site that uses such a cert, certified by a
>CA I've never heard of ("Starfield Technologies, Inc.") Doubtless they sell
>discount "Enhanced Security" certs so you don't have to worry about paying
>more money either. I haven't checked the website for drive by malware, but I
>wouldn't be shocked if it was there.
There's another data source that's examined the effect of EV certs and browser
blacklists on a much larger scale, namely the APWG statistics. They show an
essentially flat distribution for phishing from January 2007 to January 2008,
the period of phase-in of EV certs and the browser anti-phishing filters. In
other words the attack stats show that the effect of EV certs was exactly as
expected.
(Hat tip to an APWG member who made this point during a conference talk
recently).
>I'm thinking of starting a CA that sells "super duper enhanced security"
>certs
So you could have EV certs, EEV certs, EEEV certs, EEEEV certs, a PKI
equivalent of the 'aptitude -v[v[v[v[v[v...]]]]] moo' trick. Every couple of
years when people realise that the current level of (E^n)V certs work no
better than the (E^n-1)V certs that preceded them did, you add another 'E' and
everyone gets to pay again for a new set of certs. The only potential problem
is that all the CAs would have to agree to add more E's in lock-step,
otherwise you'd get a tragedy-of-the-commons effect where the CA who adds the
most E's the quickest wins.
Peeeeeeeter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
