> Whether or not the hijacker can succeed in tricking a CA into issuing a
> cert wrongfully is a complicated question - it's probably (hopefully?) hard
> to reach that goal if the domain name requested is a well-known one.
It'd be pretty hard. When I got a certficate from Thawte for a domain of
mine that hadn't existing until five minutes before I applied,
secure.services.net, they called me at the number on the WHOIS entry for
services.net to verify that it was indeed me applying.
I suppose that a domain registered in a vanity registry that doesn't provide
meaningful WHOIS info, or if they used NSI's new web-based registry and
didn't give them a phone number, it's more likely that a CA could be tricked.
But I can't have much sympathy there -- if you make it hard for people to get
in touch with you, you'll fail to hear from people you do want to hear from
as well as from people you don't.
Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner
Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
PS: Also, BIND 8.x is much harder to poison than older versions, since it
doesn't accept glue records that don't relate to a request.
