CAcert System Admins discussion list

["Sam Johnston" <samj AT samj.net>]

On Mon, Sep 8, 2008 at 8:36 PM, Philipp Guehring <philipp AT cacert.org> wrote:

Hi,

> No, the delay needs to be hours, or days - and that would frustrate
> *most* of them.

Ah, yes. That would be far too much.

> Scenario: CEO steps out, attacker creates account, sends probe,
> responds, deletes probe.

Likeliness?
Potential impact?

Well, if CAcert is accepted by one or more of the vendors then its binding power will increase significantly - it could even approach or exceed that of 'legacy' signatures. If someone manages to sell your company from under you then it's an epic fail, wouldn't you agree?

Likeliness, I'm not sure. If your email is accessible to an attacker you're stuffed anyway.
 

> I'm talking about email verifiacation here, but this could just as
> well be used for domains and the victim would never be the wiser. I
> think the best method here is to preiodically check (via a service
> that constantly runs through a list resolving tests and flagging those
> that fail) that the 'test' page, meta tag, cname entry, etc. still exists.

Yes.

> Ok, glad we agree. If anything the barrier to entry needs to be
> *lowered* in terms of ease of access to CAcert services (while
> security needs to be raised).

I think the largest barrier we have at the moment is usability.

> That's not a bad idea - by checking things like google's
> phishing/malware APIs, trademark gazettes, company searches, etc.
> presumably.

Yes. But it's a good deal of work to do on the global scale.

Calling the API would be a couple of lines of code, and we could have a few such checks that would 'flag' suspicious applications. We could map IPs to locations and so on too, which is reasonably difficult to circumvent.

Sam