[cap-talk] Firefox breaks the principle of identifiability
Ben Laurie
ben at algroup.co.uk
Tue Feb 8 16:46:25 EST 2005
list at waterken.net wrote:
> On Feb 7, 2005, at 8:43 PM, Ben Laurie wrote:
>
>>The Shmoo example does not demonstrate anything about PKI (though it
>>is true that the particular CA chosen doesn't tell you much about who
>>bought the certificate, which would strike me as a fairly effective
>>prevention of the attack - the CA was, however, chosen for cheapness,
>>not usefulness).
>
>
> So you view the Shmoo example [1] as a showcase of the PKI providing
> effective prevention against a phishing attack?
No, I view it as a demonstration of the problems introduced by IDN.
> My interpretation of the Shmoo example, and I suspect their intent, is
> exactly the opposite. If we disagree on this point, we must have wildly
> different understandings of the use model the WWW presents to users.
I know the intent, because I was involved. The intent was to show that
the advice "check the URL and the lock" is not useful advice in the
presence of (we now know) misimplemented IDN.
But the fact that a CA chose not to bind useful information to the X509
cert tells us nothing about the viability of X509 as a method of binding
useful information to domain names. Its quite clear that the CA _could_
have bound the information that Eric Johanson purchased the cert and not
PayPal. This would have been useful.
More information about the cap-talk
mailing list