Valdis,
[CA issued SSL certs]
How proof is the system against identity theft? There's 50M
.coms, a large portion of them are probably vanity domains -
JoeRandom.com, the Whois probably gives enough info to start,
if you can score an SSN to match, you could probably get a
cert. Might even be able to do it without the SSN.
Certificates are generally not issued to individuals, and I am not sure what
kind of hoops you have to jump through to do that. I have only done it for
corporations, and I can tell you what is involved there.
The biggest requirement is paperwork on the establishment of the corp. as a
legal entity -- generally the Certificate of Incorporation issued by the
state that the corp. is set up in. Second you need to have an agreement
signed by an authorized person at the company (these, granted, could be
faked, but now you're committing fraud) saying that they are requesting an
SSL cert on behalf of the company. Third, of course, is the actual payment,
which creates a paper trail of its own.
I'm not saying this is a perfect solution. There are some companies out
there that would go through all this and then spam people anyway. But at
least then we'd know exactly who they were and where to find them.
-J
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg