Email certificates
Bill Bogstad
bogstad-e+AXbWqSrlAAvxtiuMwx3w at public.gmane.org
Sun Apr 4 16:31:07 EDT 2010
On Sun, Apr 4, 2010 at 3:15 PM, Tom Metro <tmetro-blu-5a1Jt6qxUNc at public.gmane.org> wrote:
> I'm currently going through the process of purchasing email
> certificates for a few of my domains, and I'm a bit concerned that the
> vendor I'm currently using is not doing much to validate the information
> I'm supplying. They seem to be relying solely on documents I have
> supplied to them, which I could easily have forged. There is no sign
> that they've verified them independently. (They did use D&B to validate
> information for a certificate in a business name, but that just proves
> that the address I supplied on my application form matches the real
> address of the business.)
>
> If you've gone through this process, were you satisfied with the level
> of checks performed by the vendor, and if so, who did you use?
I just saw an article about potential social engineering issues and
client certificates...
http://www.betanews.com/article/Security-researcher-Trivially-easy-to-buy-SSL-certificate-for-domain-you-dont-own/1270072287
Not sure if its relevant to your exact situation, but it still warrants a read.
Bill Bogstad
More information about the Discuss
mailing list