On 2011-09-07 16:13, [email protected] wrote: > Peter (or anyone) -- would you comment on the existence and > practice of "bridge CAs" please? Extra credit (as in "thank > you") for its plausible role in public clouds.
Dan, Bridge CAs serve to graft a new top-level root above a preexisting set of root CAs. Bridge CAs practical purpose is generally to facilitate PKI adoption in a particular industry vertical or geographical region. An example of a bridge CA would be the aerospace bridge CA Certipath. It bridges the Federal Bridge CA (issuing certs to federal employees, a large customer of the aerospace industry) and various CAs trusted by aerospace companies, such as CAs operated by Boeing, Lockheed Martin, Raytheon, and EADS. Bridge CAs permit existing customers of a particular CA to continue to obtain certificates from the CA to which they are accustomed while equally trusting certificates issued by all other CAs that are part of the Bridge. You can analyze Bridge CAs in a number of dimensions. Some of the most popular dimensions for analysis are risk management and marketing. >From a risk management perspective, the Bridge CA levels the risk playing field to the lowest common denominator. If DoD, Lockheed, Boeing, and EDAS all trust certs that chain to the Bridge CA, then a hacker or rogue employee that gains control of the EADS root CA can issue certs to Iranian hackers that Lockheed employees' certificate-consuming software will believe belong to a DoD contract administrator asking for copies of blueprints for Lockheed's newest fighter aircraft. >From a marketing perspective (which does not apply to the specific example of Certipath, but does apply to other bridge CAs), a bridge allows all CAs in the bridge pool to issue certs to customers previously captive to a particular CA participating in the pool. >From a cloud perspective, a cloud Bridge CA has a straight-forward effect. The more entities participate in a cloud Bridge CA, the more nebulous security becomes. --Lucky Green _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
