In the absence of standards for applicant verification for standard SSL certificates, CAs need to promulgate strong policies and publicize their contractual obligations for resellers, and they need to audit those relationships.The SSL infrastructure is based, in a large sense, on trust. We
trust that vendors of the software that checks certificates will only
trust the roots of certificate authorities that are trustworthy, and
that means CAs that check to see that the applicant for a certificate
is who he says he is.
Unfortunately, there are no real standards for how to verify
identity of an applicant for a conventional SSL certificate. This is
one of the main motivations behind EV-SSL, for which there is a defined
standard for authentication of applicants.
But even for conventional SSL certs, you'd think there would be some
verification done, but it's not always the case. Thus, we have the case
of a Comodo reseller
attempting to scam users into buying certs under false pretenses and
then selling a cert for mozilla.com to someone with no affiliation with
that organization.
Eddy of startcom.org had been getting annoying "reminder" e-mails
for renewing his certificate from a company from which he did not buy
that certificate. If you own a domain name, you've probably gotten
these notes from other, shady domain registrars. Some even send them
snail mail. As part of attempting to learn who these clowns were, Eddy
bought a certificate from them for the domain mozilla.com. If you do a
whois on mozilla.com, you'll see it's listed to DNS Admin, Mozilla
Corporation, with a real Mountain View, Calif., address and what look
like real phone numbers and e-mail addresses.
The certificate vendor that Eddy was dealing with is Certstar, apparently a Danish company and a reseller for Comodo,
a legitimate CA (although Certstar's own certificate comes from
Equifax). I sent a note to Comodo about this not too long ago, so they
haven't got back to me yet, but in the meantime I found a response they
posted to an e-mail list operated by Eddy:
Eddy,
As I noted in my prior correspondence, Comodo has undertaken an
internal review of the Certstar reseller account. We have informed
CertStar that their email violates their contractual obligation to
refrain from sending unsolicited emails and that their email could be
interpreted as misleading and confusing to the customer. During our
review, we discovered that Certstar had apparently issued a certificate
to mozilla.com without validating control of the domain. We immediately
revoked the certificate (prior to your posting) and have suspended
Certstar's reseller activities until our investigation has been
completed. Please let me know if you have any further problems.
Regards
Robin Alden
Comodo
Under the circumstances, they seem to be doing what they can, although
the circumstances are somewhat of their own making. It all raises a lot
of questions:
- It appears that Comodo affiliates do the verification, not Comodo
itself. This surprises me. Is it typical of SSL affiliate
relationships?
- How about EV-SSL? Is it sold through affiliates?
- Will Comodo now review other sales that Certstar has made for such problems?
- Which other CAs have affiliate relationships, and are they reviewing them as well?
EV-SSL can't be the answer for the mainstream because it's very
expensive, essentially by design. It's meant to protect very high-value
sites. There are, as I said, no standards for plain old vanilla SSL,
but there are CA policies and the contracts they have with resellers.
If Comodo's name is to continue to have value, it can't say this
problem begins and ends with this incident, or even just with Certstar.
It has to make clear to the public what it expects of resellers and how
it enforces that policy. In fact, all CAs need to do this.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.
Network Security & Hardware 
/ 8 
