[45454564654]

All that's require are scanned documents. And these documents can easily be tampered with or photoshopped. You may think your company details are checked before the cert is issued, but that's crap. We email our docs to a US company, and all the docs are issued by Irish government departments. There's no way in hell that some guy in what amounts to a call centre in the US has access to any Irish database to prove or disprove their validity. SSL certs are a crock of shit - all you need to do to get one you're not entitled to is to be slightly outside the norm, and claiming any small country as your location is good enough for that. Hell, you could make up your own government departments and documents, and that'd be good enough for must of these companies.

[tptacek]

Give me a break. This is like saying all online security is a sham because I can always physically break into your office. You know how many times a real CA has fucked up and accidentally issued a Bank of America certificate to organized criminals in Estonia? ZERO.

[nickf]

You can say it's crap all you want, but until you've worked inside a CA and seen what goes on - you know shit. Good luck ordering a cert with your 'shopped docs...