IP: SSL Certificate "Monopoly" Bears Financial Fruit
Lucky Green
shamrock at cypherpunks.to
Thu Jul 11 04:22:18 EDT 2002
Peter Gutmann wrote, quoting Matthias Bruestle:
> Both Netscape 6 and MSIE 5 contain ~100 built-in,
> automatically-trusted CA certs.
>
> * Certs with 512-bit keys.
>
> * Certs with 40-year lifetimes.
>
> * Certs from organisations you've never heard of before
> ("Honest Joe's Used
> Cars and Certificates").
>
> * Certs from CAs with unmaintained/moribund websites
> ("404.notfound.com").
One thing to keep in mind is that the name of the CA on the
pre-installed root cert in some cases will bean no relation to the
actual issuer of the cert. Just because the business of
some.trusted.ca.nil has gone under does not mean their root keys are out
of circulation.
"Trusted roots" have long been bought and sold on the secondary market
as any other commodity. For surprisingly low amounts, you too can own a
trusted root that comes pre-installed in >95% of all web browsers
deployed.
In fact, it is considerably more expensive for an aspiring public CA
provider to incur the costs of policies and procedures development,
equipment expenditures, auditing cost, etc. required to have a root
added to browsers nowadays than it is to just buy an existing trusted
CA's Chrysalis or nCipher HSM.
--Lucky
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list