ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: certs aren't the answer, was [Asrg] A method to eliminate spam

2003-03-18 09:41:47
from [John R. Levine] [Permanent Link] 
It is already more or less required that organizations buy a CA-issued SSL
cert to operate a web site dealing in credit card transactions.


Now, is that *legally* required, or is that simply the guys at Visa and
Mastercard saying "We won't clear transactions for you unless you...."  

I believe it to be the latter.


Neither, it's the defacto implementation of web servers that accept
credit card orders, mostly to enrich cert vendors.  As someone else
pointed out, it defends against card numbers being intercepted in
transit which is not a significant risk compared to bad guys breaking
into databases at the merchant and stealing all the numbers, or
phishers putting up fake sites with certs that correctly identify the
fake site and collecting credit card info directly from suckers.

Someone else asked how hard it is to get an SSL cert.  It used to be a
pain in the neck requiring notarized letters and faxed copies of
business licenses and the like, but it's not any more.  The last cert
I got required only that the WHOIS domain contact click through a "was
that really you?" challenge, and we all know how utterly valid WHOIS
info is.  The wholesale price is now about $69/yr which isn't enormous
but I'm not eager to pay yet another nuisance fee for faux security.
(I brought up POP and IMAP servers yesterday with SSL certs and all of
my MUAs moan and groan about the self-signed certs.  Phooey.)

It's certainly worth thinking about ways to make it easier to check
that mail is coming from a valid source, along the lines of Habeas or
Trusted Sender, but it's implausible to come up with a mail system
that would be forgery-proof and still be usable to communicate with an
interestingly large set of other people.  If you want a closed system
that only communicates with people whose PGP keys are on your keyring,
you can have that now.  But I don't know many people who'd want that.

-- 
John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869
johnl(_at_)iecc(_dot_)com, Village Trustee and Sewer Commissioner, 
http://iecc.com/johnl, 
Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Content versus conversation, Chris Lewis
Next by Date:  Re: [Asrg] Domain-Authorized SMTP Mail, Valdis . Kletnieks
Previous by Thread:  RE: [Asrg] A method to eliminate spam, John Rumpelein
Next by Thread:  Re: [Asrg] A method to eliminate spam, meor
Indexes:  [Date] [Thread] [Top] [All Lists]