Re: HTTP AUTH BASIC monowall

["Dave Korn" <davek_throwaway () hotmail com>]

Jason Coombs wrote:
> > Brian Eaton wrote:
> > > I'd like to see their process
> > > changed so that it included a more
> > > serious check into the business
> > > whose web site they are verifying.
> >
> > This makes no sense at all, and is simply impossible within the DNS
> > system. Furthermore, all verification done by any CA can be easily
> > fooled.

  That may be the case in practice, but it's surely not an absolute 
theoretical limitation?  I would have thought it should be perfectly 
/possible/ to set up a CA that really did do a good job; that wouldn't issue 
a certificate except in person, that insists on sending one of the CA's 
staff round to the subscriber's business premises to meet them personally, 
look at the buildings, look at whether it's an established business with a 
history of trading, ask to see customer testimonials, etc. etc.

  It might still be possible to fool them but it would suddenly require you 
to hire a bunch of actors, rent business premises, forge dozens of copies of 
old newspapers to look like you've been in existence and advertising for 
some years.... it's suddenly a /much/ steeper barrier than some stupid 
automated system that some stupid skiddie can email from some stupid open 
proxy.

  And of course that's the real reason why CA verification can be defeated: 
not because there's some technical, logical, social or moral impossibility 
about it; merely because automation is cheap and the corporations that 
perform it are cheapskates who care only about the bottom line and don't 
mind providing a shit service that fails to fulfill its requirements.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today.... 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/