patri...@certstar.com wrote, On 2008-12-26 14:52: > Lately we have all seems that the certificate system is not 100% > secure - mistakes happen. It might never become fully bullet proof but > one simple change might help a lot. > > How about creating certificate type that is registered in a central > database and require all CAs to check this DB before issuing new > certificates? Once in that database no certificates could be issued > for this specific domain. I think that most high profile sites would > take advantage of such service.
I think you're suggesting a cooperative agreement among CAs, whereby once a cert was issued for a domain name by one CA, other cooperating CAs would refuse to issue a cert for that same domain name. Is that what you're suggesting? Assuming that it is, here are some questions and observations. 1) What problem would this proposed "central database" solve? Would it exist merely to keep CAs from inadvertently soliciting the customers of their competitors? What other purpose, if any, would it achieve? 2) Would this lock a cert customer into a single vendor? Would it prevent a party from enrolling for certs from several different CAs? As an acquirer of certificates, I would not want to be "locked in" to a single CA. 3) If some CAs agree to such an approach, and others do not, is it still valuable? 4) I think this database effectively exists already, albeit in a distributed (not centralized) fashion. If you want to know if the server at a certain DNS name already has a cert, and who issued it, and when it is due to expire, you can simply visit that server with an SSL client on any (or all) of the usual SSL ports (443, 465, 993), get the server's current cert, and get all that information from it. I suspect you know this already. :) 5) There is an organization of cooperating CAs and browser makers, known as the CA-Browser Forum (CABForum.org), the people behind EV. They're probably the group to which proposals for CA cooperation should be directed. They only admit CAs, and as Certstar is an RA, I'm not sure you could become a member. But Comodo could represent you, or perhaps invite you to participate in the mailing list. And you can always send email to the email address on their web site. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
