Policy-Discussion

["Peter Williams " <home_pw AT msn.com>]

Under the verisign cps, there is/was a formal reliance act on the subscriber. 
A subscriber is/was obligated to verify a prototype cert before accepting it 
- whereupon it is/was posted to the repository as having both operational and 
valid statuses.

The idea is/was force a (criminal) act of fraud by the knowing subscriber, 
impersonating another legal name or trademark/sericemark. Followup USPS mail 
can/could be used to induce an act of mail fraud: which is highly actionable. 
I.e send a $1 letter in a stamped, postmarked envelope clearly addressed to 
the "owner of mozilla.org(tm)" at subsciber's address of record, with clear 
legal notices.

As I half-recall, the 1996 era computer fraud/abuse act amendments (us) had 
language added to address such fraud during subscription. Basically, one is 
creating/accessing the computer account of a certified domain name (at any 
ca) without authorization, arguably with tangible loss to the authorized 
account holder.

I've no idea if the ca/reseller legal controls of the case were designed to 
the same level of care, as above. (now you know whatare buying, when 
procuring a versign assurance service, in part).

Improper trading practices by ca/ra entities have lots of legal remedies. Try 
a formal cease and desist notice to the IA next time, then work up the 
complaint process.

If you want to run a thridparty reputation service for ca vendors, you can: 
its what ocsp was designed for, in part.

-----Original Message-----
From: Duane at e164 dot org 
<duane AT e164.org>
Sent: Tuesday, December 23, 2008 9:42 AM
To: 
cacert-policy AT lists.cacert.org
Subject: Re: [CAcert-Policy] Reminder - SSL Certificate for *.blahblah.org 
expires in 10 Days

Pete Stephenson wrote:

 > I like to think (and perhaps I'm wrong) that people involved with
 > SSL-related issues tend to be administrators, and thus reasonably
 > intelligent people who can identify such emails as being seedy.

 As these things some times do, this seems to have taken on a life of its
 own and escalated some what...

http://www.sslshopper.com/article-ssl-certificate-for-mozilla.com-issued-without-validation.html

 Including "Discussion about revoking Comodo's root certificate and the
 security implications have come up."

 As I said the other day, there is a lot more at stake in this case
 because of the reputations of other companies than what goes on with
 domain scams ;)

 --

 Best regards,
  Duane

http://www.freeauth.org - Enterprise Two Factor Authentication
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Global Communication for the 21st Century

 "In the long run the pessimist may be proved right,
     but the optimist has a better time on the trip."