[TriLUG] [Maybe OT]: SSL certificates

[Jon Carnes]

On Fri, 2003-09-05 at 12:01, Joseph Tate wrote:

> At the very least you should verify
> A) that the person is who they say they are.  (2 forms of ID)
> B) That the person owns the domain that they are registering the 
> certificate for.  (WHOIS should be sufficient)
> C) If they do not own the domain, (i.e. if it's registered to a company) 
> then they have the right to request the certificate in behalf of that 
> company, and that the company is a legal entity.
> 
> Then draw up some sudo legalese saying:  We do not guarantee this 
> certificate, but we certify that at the time of its issuance it was 
> issued in good faith that the person was who they said they were.
> 
> Verasign, Geotrust and Thawte offer guarantees with their certificates 
> as insurance of the data.  Trilug should not be expected to offer the 
> same kinds of services.
> 
> Joseph

I agree that TriLUG would have to get ID from the requester (and
probably keep it on record) - and that the requester would have to be
the owner or technical contact for the domain. Beyond that I don't think
there is much more we need to do.

A CA is not a guarantee of a good web-experience.  It *only* indicates
that the domain in question is truly the domain it claims to be. That is
all TriLUG needs to be sure of before signing a certificate.

I certainly believe though that TriLUG will not grant certs to known or
suspected fraudulent businesses.

Now, your warning might be better placed on the web-site where the user
downloads the CA.  Making them aware that all TriLUG has done is to
assure that the site name and IP Address are correct for this domain at
the time that the Certificate was signed. Anything else is just so much
marketing (smoke and mirrors).

Jon