[cabfpub] Draft Zurich F2F Meeting agenda
sleevi at google.com
Tue Apr 7 18:52:52 MST 2015
On Tue, Apr 7, 2015 at 6:42 PM, Richard Wang <richard at wosign.com> wrote:
> Thanks for so detail information.
> Why I raise this problem is most bank in China install its own root to
> Windows trusted root while install the USB Key CSP, but the User key
> certificate don’t have EKU limit that user can use this cert to sign
> malware that the signature is trusted by Windows. This is a big security
> Another problem is the trusted signed malware modify the local host file
> and install its own root to trusted root, then redirect to the fraud bank
> site, but the browser don’t have warning.
> This is why I suggest browser and Windows should not trust manually
> installed root.
> Best Regards,
I agree, that is a real problem. I'm aware of a number of similar
unfortunate and insecure practices being encouraged by the traditionally
trusted organizations (banks, postal services, governments). I think it's
very unfortunate for users when their system security is subverted by the
people they trust.
Just because I don't think there is much that the CA/B Forum can or should
do does not mean I don't think this is an important issue or that it should
be solved. I just don't think that we here can solve it. In some circles,
this is called a "layer 8 issue" - meaning that the solution is not
necessarily one of technology, but one of policy, awareness, and activism.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public