[10910] in cryptography@c2.net mail archive
Re: RSA getting rid of trusted third parties?
daemon@ATHENA.MIT.EDU (Ian Clelland)
Fri Jun 21 15:32:32 2002
Date: Fri, 21 Jun 2002 11:48:00 -0700
From: Ian Clelland <ian@veryfresh.com>
To: cryptography@wasabisystems.com
Cc: Michael_Heyman@NAI.com
Mail-Followup-To: cryptography@wasabisystems.com,
Michael_Heyman@NAI.com
In-Reply-To: <DBF2F9C6F6BAD211BB1B00A0C99D9702AFC681@ROC-76-201.nai.com>
On Fri, Jun 21, 2002 at 08:28:40AM -0500, Michael_Heyman@NAI.com wrote:
> I came across this interesting announcement by RSA:
>
> <http://www.rsasecurity.com/news/pr/2002/020619.html>
>
> Particularly from the above announcement:
>
> By using this solution, customers' Web server certificates
> generated and issued by their RSA Keon Certificate Authority
> (CA) software are designed to be automatically validated -
> and therefore trusted - by popular Web browsers, e-mail
> packages and other applications that leverage the recognized
> issuer lists of these Web browsers.
>
> This announcement appears to completely break down the trust model assuming
> anybody can host a Keon CA that will issue trusted certificates.
But haven't browsers supported ceritificate chaining for years? As far
as I can tell, that's all this is - RSA issues you a cert which says
that you are trusted to create additional certificates (presumably just
for entities within your organisation).
The trust model doesn't break down just because anyone can create a
valid X.509 certificate. There still has to be a valid chain of trust
leading back to a trusted party (RSA, in this case). If that trust is
abused, then RSA can revoke your cert and break the chain.
Ian Clelland
<ian@veryfresh.com>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
