RSA getting rid of trusted third parties?

Ian Clelland ian at veryfresh.com
Fri Jun 21 14:48:00 EDT 2002


On Fri, Jun 21, 2002 at 08:28:40AM -0500, Michael_Heyman at NAI.com wrote:
> I came across this interesting announcement by RSA:
> 
> <http://www.rsasecurity.com/news/pr/2002/020619.html>
> 
> Particularly from the above announcement:
> 
>    By using this solution, customers' Web server certificates 
>    generated and issued by their RSA Keon Certificate Authority 
>    (CA) software are designed to be automatically validated - 
>    and therefore trusted - by popular Web browsers, e-mail 
>    packages and other applications that leverage the recognized 
>    issuer lists of these Web browsers.
> 
> This announcement appears to completely break down the trust model assuming
> anybody can host a Keon CA that will issue trusted certificates.

But haven't browsers supported ceritificate chaining for years? As far 
as I can tell, that's all this is - RSA issues you a cert which says 
that you are trusted to create additional certificates (presumably just 
for entities within your organisation).

The trust model doesn't break down just because anyone can create a 
valid X.509 certificate. There still has to be a valid chain of trust 
leading back to a trusted party (RSA, in this case). If that trust is 
abused, then RSA can revoke your cert and break the chain.

Ian Clelland
<ian at veryfresh.com>

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com



More information about the cryptography mailing list