Ben Laurie wrote:
> :-) In order to qualify for a server certificate from either VeriSign or
> Thawte (the two most likely CAs) you must produce proof that you (your
> company) own the domain and that you are the company you claim to be.
>
> How carefully they check this proof I am not prepared to speculate on.
In VeriSign's case, they require notarized documentation to that effect.
What process a Notary Public goes through to verify these properties, I have no idea.
Bottom line: at some point you end up trusting someone, typically someone whose life will be materially affected by any detected inaccuracies. For lawyers, this is the disbarrment process. I do not know what the analogous penalties for a Notary Public are.
Another approach to the whole subject is, of course, the "Web of Trust" as used by PGP.
Paul Snively
<mailto:psnively@earthlink.net>