The CPS states the authentication processes that the CA uses in issuing the
certificate or otherwise certifying the key (amongst other things).
You can trust the CPS in the sense that the CPS of a well known CA should
provide you with a reliable indication of the level of risk involved in
relying on the certificate.
Yes there are ways to get hold of a certificate even if you are a bad
person. In the credit card world every transaction carries insurance, so the
risk is acceptable. In the spam control world the risk is that you get
spammed, a problem but hardly a mission critical, can never happen
compromise. In the Web Services world someone can steal goods or services, a
real problem - so expect Web Services PKI services to be based on PKI models
such as XKMS where insurance can be sold with each transaction.
Ok so imagine the spam sender registers a bogus company, sends spam. What is
the redress, how long can they get away with it and how easy will it be to
get a replacement certificate?
It is likely that spam senders are going to get caught pretty quickly,
within the first 100,000 messages or so. Spam a honeypot, get your
credentials revoked. In theory you could revoke at that point. For technical
reasons I won't bore you with it is more likely you would want to not revoke
the cert and instead revoke a 'trustworthy sender' attribute. This can still
be advertised through XKMS.
It is even possible to push the revocation notice out so that the emails can
be retrospectively quarantined, this would require new protocol.
A spam sender could attempt to use disposable certificates in the same way
that IP addresses and dialup accounts are considered disposable. This is
unlikely to work for long, the spam sender can set up lots of shell
companies at the same address but if the CA keeps authenticating to the same
address or phone number the pattern will soon become apparent.
There is even an empirical measurment of how effective a CA's processes are.
Just look at the scores that spamBayes is assigning to certs from different
CAs. The zero-Authentication CAs will quickly be attacked by spam senders.
Phill