<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Answering both, but especially Jerry's rhetorical question. It
comes in two flavours.</p>
<p><br>
</p>
<p>1. The history of SSL. It originally came out of Netscape as an
ADH protocol in version 1. Much outcry and anger "what about the
dreaded MITM? You must use certificates, you really must! Plague
& Pestilence, 7 years bad luck!" Much of this opposition could
be traced back to a little company called RSADSI, which just so
happened to have invested hugely in a little technology called
x.509.<br>
</p>
<p>So Netscape, duly chastened, came out with SSL v2, and started to
issue certificates to server operators. "Oh, no, this cannot be
so! You cannot be the CA, because <windmilling> conflict of
interest, vetting, decentralization, you don't understand certs,
now you're the MITM, angst, the web will collapse </arms>"
Again, the little company RSADSI seemed to be very vocal on this,
and had apparently started another little company who's name
escapes me, and the boss was holding 15% of the shares...</p>
<p>In the third act, Netscape weakened and allowed other companies
to become CAs and push it out of the business. But for a glorious
moment before shareholder value saved us, the browser vendor was
the CA.</p>
<p><br>
</p>
<p>2. Other CAs came along too, because the first whose name is now
lost in history was high priced. Something in Africa, which was
bought out by the high priced guys? So Netscape and other browser
manufacturers created a 'root list' of CAs. And added CAs as they
turned up. For a while it was free for all. Then it was about who
you knew. Opera charged $8k at one point and you were in!
Microsoft copied others. And others didn't know how to add...
(Then CAcert came along with free certs and this sparked the CAs
to huddle the waggons in a circle and create CABCartel and the
rest is history...)</p>
<p>But from a helicoptor view, the addition of the CA to the root
list was just a procedural item. Which is the same as the writing
of a cert to a customer of the CA - a procedural item.</p>
<p>So in effect, <i>the browser manufacturers were CAs</i>. They
just used a different protocol to sign sub-CAs in to their
certified list (aka root list).</p>
<p>For a while I called these über-CAs but the term never caught on,
I wonder why?<br>
</p>
<p><br>
</p>
<p>In sum - browser makers are CAs, they were CAs, and they can be
CAs, we just can't say that, and those über-CAs have to use a
different protocol to do it. And, this complication would have
been folded in and disappeared if it weren't for a little company
whose name I forgot that managed to insert itself into an
otherwise simple process and create a dog's breakfast of security
but a sustainable number printing money machine for itself.</p>
<p><br>
</p>
<p>iang<br>
</p>
<div class="moz-cite-prefix">On 19/04/2025 16:34, Michael Kjörling
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:c8182a7c-2a01-442c-b892-c2b7b71ea92a@home.arpa">
<pre wrap="" class="moz-quote-pre">On 18 Apr 2025 19:28 -0400, from <a class="moz-txt-link-abbreviated" href="mailto:leichter@lrw.com">leichter@lrw.com</a> (Jerry Leichter):
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">Pulling this all together: Why aren't any browser makers also CA's?
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">
Apple is a CA, at least according to themselves.
Google is a CA, at least according to themselves, Microsoft and Mozilla.
Microsoft is a CA, according to themselves, Apple, Google and Mozilla.
Mozilla is the only one that doesn't seem to be trusted as a CA by any
of the major browser makers, but I won't rule out that I'm searching
for the wrong thing.
I'm pretty sure as someone controlling a host name you can get an
actual TLS certificate at least from Google.
Apple's list of currently trusted CAs: <a class="moz-txt-link-freetext" href="https://support.apple.com/en-us/121672">https://support.apple.com/en-us/121672</a>
linked from <a class="moz-txt-link-freetext" href="https://support.apple.com/en-us/103272">https://support.apple.com/en-us/103272</a>
Google's: <a class="moz-txt-link-freetext" href="https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/root_store.md">https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/root_store.md</a>
linked from <a class="moz-txt-link-freetext" href="https://pkic.org/ltl/">https://pkic.org/ltl/</a>
Microsoft's: <a class="moz-txt-link-freetext" href="https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT">https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT</a>
linked from <a class="moz-txt-link-freetext" href="https://learn.microsoft.com/en-us/security/trusted-root/participants-list">https://learn.microsoft.com/en-us/security/trusted-root/participants-list</a>
Mozilla's: <a class="moz-txt-link-freetext" href="https://ccadb.my.salesforce-sites.com/mozilla/CACertificatesInFirefoxReport">https://ccadb.my.salesforce-sites.com/mozilla/CACertificatesInFirefoxReport</a>
linked from <a class="moz-txt-link-freetext" href="https://wiki.mozilla.org/CA/Included_Certificates">https://wiki.mozilla.org/CA/Included_Certificates</a>
--
Michael Kjörling
🔗 <a class="moz-txt-link-freetext" href="https://michael.kjorling.se">https://michael.kjorling.se</a>
_______________________________________________
The cryptography mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cryptography@metzdowd.com">cryptography@metzdowd.com</a>
<a class="moz-txt-link-freetext" href="https://www.metzdowd.com/mailman/listinfo/cryptography">https://www.metzdowd.com/mailman/listinfo/cryptography</a>
</pre>
</blockquote>
</body>
</html>