However, the procedures required to exploit these weaknesses are slightly more complicated than simply producing a self-signed certificate on the fly for man in the middle use -- they require planning, a waiting period, because CAs do not typically issue immediately.
Hmmn, I guess I was right, you haven't bought any certs lately. Startcom typically issues on the spot, Comodo and Geotrust mail them to you within 15 minutes. I agree that 15 minutes is not exactly the same as immediately, but so what?
And the use of credit card numbers; either legitimate ones, which provide a trail to trace the attacker, or stolen ones, ...
or a prepaid card bought for cash at a convenience or grocery store. Really, this isn't hard to understand. Current SSL signers do no more than tie the identity of the cert to the identity of a domain name. Anyone who's been following the endless crisis at ICANN about bogus WHOIS knows that domain names do not reliably identify anyone.
The only question is... Does it provide an assurance that is at all stronger than a self-signed certificate that can be made on the fly?
And it does... not a strong one, but a slightly stronger one.
I supose to the extent that 0.2% is greater than 0.1%, perhaps. But not enough for any sensible person to care. Also keep in mind that this particular argument is about the certs used to submit mail to Gmail, which requires a separate SMTP AUTH within the SSL session before you can send any mail. This isn't belt and suspenders, this is belt and a 1/16" inch piece of duct tape. R's, John