RSA getting rid of trusted third parties?
Ian Clelland
ian at veryfresh.com
Fri Jun 21 14:48:00 EDT 2002
On Fri, Jun 21, 2002 at 08:28:40AM -0500, Michael_Heyman at NAI.com wrote:
> I came across this interesting announcement by RSA:
>
> <http://www.rsasecurity.com/news/pr/2002/020619.html>
>
> Particularly from the above announcement:
>
> By using this solution, customers' Web server certificates
> generated and issued by their RSA Keon Certificate Authority
> (CA) software are designed to be automatically validated -
> and therefore trusted - by popular Web browsers, e-mail
> packages and other applications that leverage the recognized
> issuer lists of these Web browsers.
>
> This announcement appears to completely break down the trust model assuming
> anybody can host a Keon CA that will issue trusted certificates.
But haven't browsers supported ceritificate chaining for years? As far
as I can tell, that's all this is - RSA issues you a cert which says
that you are trusted to create additional certificates (presumably just
for entities within your organisation).
The trust model doesn't break down just because anyone can create a
valid X.509 certificate. There still has to be a valid chain of trust
leading back to a trusted party (RSA, in this case). If that trust is
abused, then RSA can revoke your cert and break the chain.
Ian Clelland
<ian at veryfresh.com>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list