On Fri, Jun 21, 2002 at 08:28:40AM -0500, [EMAIL PROTECTED] wrote: > I came across this interesting announcement by RSA: > > <http://www.rsasecurity.com/news/pr/2002/020619.html> > > Particularly from the above announcement: > > By using this solution, customers' Web server certificates > generated and issued by their RSA Keon Certificate Authority > (CA) software are designed to be automatically validated - > and therefore trusted - by popular Web browsers, e-mail > packages and other applications that leverage the recognized > issuer lists of these Web browsers. > > This announcement appears to completely break down the trust model assuming > anybody can host a Keon CA that will issue trusted certificates.
But haven't browsers supported ceritificate chaining for years? As far as I can tell, that's all this is - RSA issues you a cert which says that you are trusted to create additional certificates (presumably just for entities within your organisation). The trust model doesn't break down just because anyone can create a valid X.509 certificate. There still has to be a valid chain of trust leading back to a trusted party (RSA, in this case). If that trust is abused, then RSA can revoke your cert and break the chain. Ian Clelland <[EMAIL PROTECTED]> --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]