x509 v1 certificate

Werner Koch wk at gnupg.org
Mon Sep 25 17:19:01 CEST 2006

On Mon, 25 Sep 2006 16:44, Kazu Yamamoto (山本和彦) said:

>> Isn't that the company who once issue a certificate for MICROS0FT.COM :-)
> I don't understand what's point here.

The point is that the whole CA business is about collecting money and
not about security.  A security aware CA would have checked names not
just by scripts but by proper manual checks.  And then a name as
simliar to MICROSOFT.COM (watch out for the "0/O") would not be
eligable for such a certificate.

> Some authors of RFC 3280 belongs to versign. Why did they have to 

[The advantage for them to work in the WG was to help them educate a
little bit on how to CA the right way.]

> It seems to me that it is not the case. They wrote RFC3280 so as their
> certificates are all valid and unfortunately Section 4 is mis-leading
> somewhat.

Yep. The usual specification mangling process to turn all bugs in a
software into a feature.



More information about the Gnupg-devel mailing list