Your Shameless Host
Hi! Welcome to the personal blog of Jason Stirk (Griffin) - a slightly unhinged web application developer living in Lismore, NSW (yes, that's in Australia).
I run a software consulting company called Aurora Software.
Now whilst I disagree that clamping down on CA's would get rid of Spyware (it may slow it slightly, though), it does bring up the important point of trust. In particular, it points out the problem of CA's giving the user a sense of trust in an organization that the CA doesn't even know.
This issue of "false trust" is something that we were discussing in the Office the other week, as we arranged to shell out the US$149 for one of thawte's SSL123 certificates which get issued within minutes with only the minimal of checking. The difference between this certificate and thawte's usual certificates (apart from the $50 price difference) is that the SSL123 certificates have no information contained within them about the legal entity they were issued to. (Want to compare? Check out here vs. here)
Technically, the two certificates are exactly the same. In the case of the SSL123 certificate, we paid $149 for them to run a quick WHOIS on the domain and check that the contact information we supplied was the same. Quickest $149 you've ever made. In the case of the other certificate, a company check was done, but as far as we know, that was it.
What is thawte doing - in either case - to say that they trust either business? That's right. Absolutely nothing.
Don't for a second assume I am singling thawte out on this - I'd be quite pleasantly surprised to find that any CA does their due diligence in checking that the organization they are issuing a certificate to is reputable.
I believe there are a few problems all playing in the matter of on-line security, though.
In the end though, all of this rant, as is Ben's, is fairly pointless - CA's will not change until someone makes them do so. Who is going to do that? Management? These changes would mean they actually have to work for their money - how is that going to help the bottom line? Maybe Government? But which one? Or maybe yet another non-profit (haha yeah, right) organization like ICANN?
Yup - we'll just all whine and moan, but nothing is going to happen in the short term while the Internet is run by bean-counters and bureaucrats.