On Wed, Feb 16, 2005 at 04:34:27PM -0800, David Schwartz wrote:
I'm not assuming anything, I'm making an argument why it would be
self-destructive for any CA to adopt such a strategy. That doesn't mean they
won't do it, people certainly do stupid things when they think they can get
away with it. But the fact is, CAs can't get away with it. So if they think
they can, they will quickly be proven wrong.
Quickly? When Verisign issued in 2001 a certificate for "Microsoft" to
somebody who simply said he was a Microsoft employee, and they didn't
do any check about the identity of the person, what happened?
Nothing. Except issuing a couple of "oops" certificate revocations.
I can't even find a public announce by Verisign stating they would take
actions to correct their own validation procedures and avoid repetition
of the incorrect (and for a public CA, inexcusable) behaviour. Everybody
here hopes they fixed their procedures... but no one even knows.