[Cryptography] TB2F CAs as (un)official browser policy

Rob Stradling rob.stradling at comodo.com
Tue Mar 24 06:52:29 EDT 2015

On 23/03/15 23:35, Tom Mitchell wrote:
> On 20/03/15 09:34, Ben Laurie wrote:
> > From what I can tell, there's quite a difference between
> Is there a useful system designed that could demand two or three
> certificates?

None that I can think of.

Perhaps it would be useful to define a new certificate extension that 
enables a single certificate to carry signatures from multiple CAs 
(where each signature is an assertion that that CA has independently 
verified the details in the cert).  Of course it would only be useful if 
the CAs and browsers were interested in implementing it.

> It seems to me that a collection of central authority resources
> will always have an event at one or from time to time where
> the notion of trust is not going to be absolute.
> The odds of it happening to three simultaneously seems remote.
> Web sites can serve up a cookie that contains the good hash of
> /.CAset (and .ico) that contains a list of CAs and certs to double check.
> With some cookies for local state to bootstrap the checks some
> improvement seems possible especially for the traveler where Home
> is well trusted.

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the cryptography mailing list