RSA getting rid of trusted third parties?

Michael_Heyman at NAI.com Michael_Heyman at NAI.com
Fri Jun 21 15:54:25 EDT 2002 

> From: Ian Clelland [mailto:ian at veryfresh.com] 
> Sent: Friday, June 21, 2002 2:48 PM
> 
> On Fri, Jun 21, 2002 at 08:28:40AM -0500, 
> Michael_Heyman at NAI.com wrote:
> > I came across this interesting announcement by RSA:
> > 
> > <http://www.rsasecurity.com/news/pr/2002/020619.html>
> > 
> > Particularly from the above announcement:
> > 
> >    By using this solution, customers' Web server certificates 
> >    generated and issued by their RSA Keon Certificate Authority 
> >    (CA) software are designed to be automatically validated - 
> >    and therefore trusted - by popular Web browsers, e-mail 
> >    packages and other applications that leverage the recognized 
> >    issuer lists of these Web browsers.
> > 
> > This announcement appears to completely break down the trust model 
> > assuming anybody can host a Keon CA that will issue trusted 
> > certificates.
> 
> But haven't browsers supported ceritificate chaining for 
> years? As far as I can tell, that's all this is - RSA 
> issues you a cert which says that you are trusted to 
> create additional certificates (presumably just for 
> entities within your organisation).
> 
> The trust model doesn't break down just because anyone can create a 
> valid X.509 certificate. There still has to be a valid chain of trust 
> leading back to a trusted party (RSA, in this case). If that trust is 
> abused, then RSA can revoke your cert and break the chain.
> 
Maybe I am reading more into it then exists but the bullet in the document
says it will:

  Reduce help desk calls from end-users related to "untrusted" 
  certificates

That and the other language lead me to believe they have a trusted root
already loaded in my browser that they let anybody authenticate to that is
willing to buy their certificate authority software and that my browser will
think those certificates are fine. I just hope that none of the private keys
of all these (many probably unsecured) CAs leak.

-Michael Heyman

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list