Florian Weimer <f...@deneb.enyo.de> writes: > 4) It can't be trademarked because the company named in the DN is long > gone > > (It's quite strange that so many of the browser root certs use DNs > which aren't correct anymore.)
It isn't strange -- it is part of the fairly frightening ecology we've developed. Lets remember briefly how we got here... 1) Netscape wanted to deploy SSL 2) ...but to do that, they needed some way of getting people trust anchors for the certificate system... 3) ...and lacking time for any sort of real protocol, the easy move was just building them in to the browser binaries... 4) ...and everyone else followed suit... 5) ...so now, being one of the magic CAs who's root certs are distributed with the commonly used browsers (IE, Safari, Firefox, Opera, etc.) is a license to print money. 6) ...as a result of which, lots of CAs have been bought, sold and traded around repeatedly. This is all part and parcel of the problem that you can't *really* trust the CAs terribly much. The security of your browser is, to a large extent, dependent on the security practices of the least diligent CA built in to your browser. (There are loads of other problems too of course.) It is particularly interesting to me how far we've come from the original vision of X.509 -- indeed, a large fraction of our infrastructure now uses X.500 DNs and X.509 certs in a manner totally alien to the original vision for those technologies. There is no global X.500 directory, there is no rigidly central global certification hierarchy. The data formats have become a sort of mere magical incantation -- almost no one involved has any any knowledge of what any of it means, how it evolved, or what the real threats are. To a scary extent, this includes people making critical security decisions about the infrastructure. With my moderator hat on, I'm not *too* interested in opening this up again -- we've discussed it repeatedly in the past -- but I think a reminder isn't a bad thing. I'll forward posts that have something particularly new to say about the subject, or at least which say something old in a particularly interesting way. :) Perry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com