[Cryptography] Chrome & Firefox protecting users against Symantec (Thawte, Verisign, Equifax, Geotrust, RapidSSL, etc) certs.
Watson Ladd
watsonbladd at gmail.com
Tue Sep 12 20:33:57 EDT 2017
On Tue, Sep 12, 2017 at 2:09 PM, Salz, Rich via cryptography
<cryptography at metzdowd.com> wrote:
>
>> (Side question: Why the heck did Symantec think it needed so many
>> different names? When I see other companies playing shell games like
>> that my first thought is money laundering.)
>
> Because they bought other CA’s, who had previously in turn acquired yet another CA’s. The root keys are identified in a number of ways – name, key-hash, etc – and often embedded in systems that cannot be easily modified, if at all.
>
> So while it might be nice to ‘clean up’ the naming tree and consolidate it, there are reasons to not do so and the strongest reason in favor is really little more than nerd aesthetics.
Doesn't cleaning it up and mothballing some CAs reduce the scope of
audits? If Symantec had issued new browser certs only from on CA, and
put all the others outside the scope of the BRs by mothballing them,
they wouldn't have nearly as many problems as they do now.
>
> /r$
>
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
--
"Man is born free, but everywhere he is in chains".
--Rousseau.
More information about the cryptography
mailing list