[Fwd: Warning: Your SSL Certificate on trust-value.com is expiring soon. Upgrade to 2048-bit today]
Eddy Nigg
certification authority claiming to be number two.
The links go to infosecuritynews.com which is protected by whoisguard
(sick), but continuing the promotion one lands at the instanssl site of
Comodo. I suggest to Micorosoft and Mozilla to make it a policy
requirement of CAs to refrain from spam and sending of unsolicited mail.
Funny also these offerings from the same house: comodoantispam.com
(would it help me?)
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: star...@startcom.org <xmpp:star...@startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
-------- Original Message --------
Subject: Warning: Your SSL Certificate on trust-value.com is expiring
soon. Upgrade to 2048-bit today
Date: Fri, 27 Feb 2009 17:16:30 -0000
From: Comodo Group, Inc. <e-m...@comodogroup.com>
Reply-To: Comodo Group, Inc. <e-m...@comodogroup.com>
To: <webm...@startcom.org>
Comodo - Creating Trust Online
<http://www.infosecuritynews.com/email/ssl/2048-bit/index.html?utm_source=MC&utm_medium=t1&utm_term=comodo1&utm_content=INSERT&utm_campaign=compexpiry&click2=SASP3779.28781>
Upgrade to the next generation of encryption to maintain browser trust.
Learn more.
<http://www.infosecuritynews.com/email/ssl/2048-bit/index.html?utm_source=MC&utm_medium=t1&utm_term=learnmore1&utm_content=INSERT&utm_campaign=compexpiry&click2=SASP3779.28781>
Don't Become a Security Alert
If you upgrade to Comodo 2048 bit certificates now, we'll even add the
remaining time left on your current certificate!
Click here or call 1-888-266-6361
<http://www.infosecuritynews.com/email/ssl/2048-bit/index.html?utm_source=MC&utm_medium=t1&utm_term=seeall2&utm_content=INSERT&utm_campaign=compexpiry&click2=SASP3779.28781>
Mention Promo Code 2048X
U.S. Government to Websites: Your 1024 bit
certificate will be vulnerable
Why upgrade to 2048?
The NIST suggests that all 1024 bit certificates will be vulnerable.
The Most Trust
Comodo's 2048 bit certificate is trusted by all major browsers on the
internet today.
Upgrade now and we will add the remaining time left on your current
certificate to your new 2048 bit certificate!
Call 1-888-266-6361 to upgrade today!
<http://www.infosecuritynews.com/email/ssl/2048-bit/index.html?utm_source=MC&utm_medium=t1&utm_term=call6&utm_content=INSERT&utm_campaign=compexpiry&click2=SASP3779.28781>
Mention Promo Code 2048X
This is an advertisement. If you wish to unsubscribe from receiving
e-mail offers from Comodo or if this message has been sent to you in
error, please click on the Unsubscribe link. UNSUBSCRIBE
<http://www.infosecuritynews.com/email/unsubscribe.html?v=webm...@startcom.org&c=b>
Comodo Security Solutions, Inc.
525 Washington Boulevard
Jersey City, NJ 07310
United States
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: star...@startcom.org
Blog: https://blog.startcom.org
Frank Hecker
> I suggest to Micorosoft and Mozilla to make it a policy
> requirement of CAs to refrain from spam and sending of unsolicited mail.
In my original "CA certificate metapolicy" document from 2004
http://hecker.org/mozilla/ca-certificate-metapolicy
I wrote the following:
18. ... The [Mozilla CA certificate] policy should not arbitrarily
exclude CAs from consideration based on factors such as the CA's
size, reputation, *business practices not related to certificate
issuance*, profit or nonprofit status, geographic location, and the
like. [emphasis added]
As part of the discussion of the metapolicy, I wrote the following in
response to a comment from Ben Bucksch stating that he didn't want roots
included for a company "proven to be ruthless", and asking whether we'd
accept Microsoft as a root CA:
I wasn't proposing to ignore the CA's track record specifically
as a CA, I was referring instead to the CA's general reputation as
a business. To answer your hypothetical question: if Microsoft acted
as a CA, and if Microsoft properly did the things one would expect a
CA to do, then why should their root CA cert not be included? Whether
Microsoft is a "good" company or "bad" company in terms of other
non-CA-related business practices (for example, the sorts of things
that got them in trouble with the US and EU) is IMO of little or no
relevance.
http://groups.google.com/group/netscape.public.mozilla.crypto/msg/45e7135322b15f4c
So, consistent with my position back then, I am *not* in favor of our
imposing a policy requirement that CAs (or their resellers) not engage
in spamming. It's not directly relevant to a CA's performance as a CA.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
Kyle Hamilton
they arguably do more things related to maintaining the
trustworthiness of the PKI than Mozilla does.
However, I believe that spamming is reprehensible. I also believe
that the only reason that spammers actually spam is because of the
very low cost of sending out UCE, which means that only 1 of 50,000
spams needs to respond to make a profit.
In order to reduce the effectiveness of this flavor of spam (which
only exists because the company has been accepted as "trustworthy" by
Mozilla, Microsoft, Apple, Opera, and the Konqueror team), the only
way to make it less profitable for them is to remove one of the
pillars upon which they base their spam. Specifically, the only way
to make it less profitable is to cost them their browser support,
which would render their CA services valueless.
If Mozilla tolerates this (and I am specifically stating this as Frank
is capable of making at least some policy choices on behalf of the
Mozilla Foundation), then what else will it tolerate? Spam is a
proposition which is more damaging to user security than any PKI
attack can be -- it is a proposition which is essentially a denial of
service attack against their email boxes. (Remember, 'availability'
is one of the things that has always been part of all of the security
protocols that the IETF evaluates -- in this case, though, the
processing power of the user herself is being abused.)
Also, does Mozilla want to go on record as tolerating spam?
-Kyle H
> --
> dev-tech-crypto mailing list
> dev-tec...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
Martin Paljak
optout/optin difference between US and EU. Just a thought.
>> --
>> dev-tech-crypto mailing list
>> dev-tec...@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-tech-crypto
>>
> --
> dev-tech-crypto mailing list
> dev-tec...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
--
Sent from my mobile device
Martin Paljak
mar...@paljak.pri.ee
http://martin.paljak.pri.ee
GSM:+3725156495
Eddy Nigg
> First, Microsoft has already become a CA (multiple times over), and
> they arguably do more things related to maintaining the
> trustworthiness of the PKI than Mozilla does.
Kyle, follow up of Franks response was set to
mozilla.dev.security.policy. Could you follow up there since me and
Frank posted there as well?
Eddy Nigg
> While I'm from EU and against spam, i must remind the fundamental
> optout/optin difference between US and EU. Just a thought.
Once when I was naive enough and clicked for "unsubscribe" I've got ten
times the amount of spam (since I just confirmed to them that I've read
it and the account is real) until I closed the account altogether. Bad
idea, no trust relationship exists in this respect.
Frank Hecker
> Also, does Mozilla want to go on record as tolerating spam?
The problem with this argument is that it could be applied to a good
many more things than spam. This is especially true with respect to
government CAs, since governments can and do engage in activities which
a great many people strenuously object to (including me in many cases).
Suppose we include a root for government X, which then proceeds to do
controversial thing Y. Then one could easily ask "does Mozilla want to
go on record as tolerating Y?" where Y in some cases might be far more
serious than sending out spam.
My philosophy is that our "regulation" of CAs should focus on those
things that are most directly relevant to their activities as CAs, and
that we should not use the Mozilla CA policy as a mechanism to try to
punish CAs for other activities they might engage in. If you and others
disagree with that philosophy then you all are free to try to convince
the appropriate people
to override my views on the matter.
Julien R Pierre - Sun Microsystems
Eddy Nigg wrote:
> Once when I was naive enough and clicked for "unsubscribe" I've got ten
> times the amount of spam (since I just confirmed to them that I've read
> it and the account is real) until I closed the account altogether. Bad
> idea, no trust relationship exists in this respect.
Not true, there is a trust relationship : once you click, they can trust
your e-mail address is real . :)
And very often you won't even need to click, if you have remote images
enabled in your email.
Eddy Nigg
> Not true, there is a trust relationship : once you click, they can trust
> your e-mail address is real . :)
LOL
> And very often you won't even need to click, if you have remote images
> enabled in your email.
Nope, luckily I'm using Thunderbird with its default settings.