What is it about official looking documents that mislead too many, too easily???
I once used my older brother's license to get into a bar. Before pictures, our state only offered an official looking paper card. And now, nearly 40 years later, we have the same issues as found in this article, one discussing how to use a fake digital certificate to 'authenticate' an application's issuing identity.
Meanwhile, back at the bar... I approached the doorman and provided an older license, one listing my brother's birthday. Never mind that my brother had black hair, and I had brown. Never mind he was six years older. The doorman waltzed past all the problems because it was an official license. He did ask me to spell that last name though. To impress him, I promised to spell the last name--backwards. I did so, easily, and that got me in. After all, it was an official document, and anyone who can spell my last name--backwards--must be who he claims to be.
I enjoy all Information Security topics, but I really study digital cryptography issues. The industry promises secure electronic commerce by promoting the use of digital certificates, yet few customers have any training or experience verifying these "certificates of authenticity" in their browsers, id files, etc. Much as my mono-browed doorman from the '70's, people are so easily misled by official looking names inserted effortlessly into bogus digital certificates.
Read the article. Does your organization have a digital verification strategy (or can anyone issue certificates using your name)? Do your digital cryptography policies follow the RFC's (or do you think RFC is a Restaurant for Chicken)? Are your co-workers trained at spotting fake certificates that are too often used to encourage malware downloads and installations?
Years ago, I used OpenSSL to create my own CA. I called it Sleazy Dog, CA, to highlight the growing trust issues with over-promotion of digital certificates as an easy security mechanism. People didn't get it then, and the article I reference shows it's still an obscure point for many. What do you recommend? Send me enough money, and I'll sell you whatever certificate you want for any identity you want to be. If you review most CA's contractual language, you'll see there are no guarantees with so many certificates.