Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.

[Rainer Duffner <rainer@xxxxxxxxxxxxxxx>]

Vincent Archer wrote:

> On Wed, Feb 16, 2005 at 04:34:27PM -0800, David Schwartz wrote:
>  
>
> > 	I'm not assuming anything, I'm making an argument why it would be
> > self-destructive for any CA to adopt such a strategy. That doesn't mean they
> > won't do it, people certainly do stupid things when they think they can get
> > away with it. But the fact is, CAs can't get away with it. So if they think
> > they can, they will quickly be proven wrong.
> >    
>
> Quickly? When Verisign issued in 2001 a certificate for "Microsoft" to
> somebody who simply said he was a Microsoft employee, and they didn't
> do any check about the identity of the person, what happened?
>
> Nothing. Except issuing a couple of "oops" certificate revocations.
>
> I can't even find a public announce by Verisign stating they would take
> actions to correct their own validation procedures and avoid repetition
> of the incorrect (and for a public CA, inexcusable) behaviour. Everybody
> here hopes they fixed their procedures... but no one even knows.
>
>  

I, too, would be interested in some kind of "lessons learned"-document, 
describing why this could happen at all - and how Verisign wanted to 
avoid it in the future.

It's really a pitty that the root-CAs in browsers haven't been subject 
to more public scrutiny - now and back then.




cheers,
Rainer

--
===================================================
~     Rainer Duffner - rainer@xxxxxxxxxxxxxxx     ~
~           Freising - Munich - Germany           ~
~    Unix - Linux - BSD - OpenSource - Security   ~
~  http://www.ultra-secure.de/~rainer/pubkey.pgp  ~
===================================================