> From: Ian Clelland [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 21, 2002 2:48 PM > > On Fri, Jun 21, 2002 at 08:28:40AM -0500, > [EMAIL PROTECTED] wrote: > > I came across this interesting announcement by RSA: > > > > <http://www.rsasecurity.com/news/pr/2002/020619.html> > > > > Particularly from the above announcement: > > > > By using this solution, customers' Web server certificates > > generated and issued by their RSA Keon Certificate Authority > > (CA) software are designed to be automatically validated - > > and therefore trusted - by popular Web browsers, e-mail > > packages and other applications that leverage the recognized > > issuer lists of these Web browsers. > > > > This announcement appears to completely break down the trust model > > assuming anybody can host a Keon CA that will issue trusted > > certificates. > > But haven't browsers supported ceritificate chaining for > years? As far as I can tell, that's all this is - RSA > issues you a cert which says that you are trusted to > create additional certificates (presumably just for > entities within your organisation). > > The trust model doesn't break down just because anyone can create a > valid X.509 certificate. There still has to be a valid chain of trust > leading back to a trusted party (RSA, in this case). If that trust is > abused, then RSA can revoke your cert and break the chain. > Maybe I am reading more into it then exists but the bullet in the document says it will:
Reduce help desk calls from end-users related to "untrusted" certificates That and the other language lead me to believe they have a trusted root already loaded in my browser that they let anybody authenticate to that is willing to buy their certificate authority software and that my browser will think those certificates are fine. I just hope that none of the private keys of all these (many probably unsecured) CAs leak. -Michael Heyman --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
