Nick Lamb <[email protected]> writes: >On Tuesday, 6 September 2016 15:11:00 UTC+1, Peter Gutmann wrote: >> Why would a public CA even need cross-certification from other CAs? > >Maybe this question has some subtlety to it that I'm missing?
OK, I really meant "that many other CAs". To take one example, the cross- certifying CA known as Usertrust that eventually became part of Comodo has been around since the late 1990s, so it's presumably trusted by everything under the sun, and then Comodo owns (at least) AddTrust AB, eBiz Networks, Positive Software, RegisterFly, Registry Pro, The Code Project, The USERTRUST Network, WebSpace-Forum e.K., and Wotone Communications. Getting a whole pile of other cross-certifications from additional CAs seems a bit redundant, and has the flipside that once you've got a sufficiently complex mesh of cross- certifications you've established such a level of fault-tolerance that it's difficult to untrust a CA because there'll always be another cross- certification somewhere leading to a trusted root. Peter. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
