Free Republic
Browse · Search
News/Activism
Topics · Post Article

To: Gideon7
Out of curiosity, would it be possible to for new certificates to be bundled with signatures (of the new certificate) signed with any previous certificates that might reasonably be in use, and for browsers to warn any time an attempt is made to access a site for which the browser has a certificate, but which advertises a new certificate that isn't signed by the old one?

If on the first time my machine accesses mywonderfulbank.com, the request gets been intercepted by a site which has a bogus certificate, there'd be no way my machine could catch that, but if my machine had previously accessed the real mywonderfulbank.com and received a certificate, there would be no way a phony certificate could pass muster without a warning.

10 posted on 03/23/2011 8:28:21 PM PDT by supercat (Barry Soetoro == Bravo Sierra)
[ Post Reply | Private Reply | To 8 | View Replies ]


To: supercat
for browsers to warn any time an attempt is made to access a site for which the browser has a certificate, but which advertises a new certificate that isn't signed by the old one?

Nice idea but unfortunately certs don't work that way.

Each cert is independently signed by a higher CA. Many companies can (and do) switch CAs for various business reasons. For example I switched my company's CA from VeriSign to Thawte to save money. Under your system my new certs would not work because the new CA does not match the old one.

In PKI circles various ideas have been kicked around about to increase trustworthyness of a cert, such as co-signing or otherwise having a 3rd party vouch for the CA that signed you. Microsoft already does this to a limited extent with Authenticode-signed device drivers, which requires a Microsoft Cross-Certificate before Windows 7 will load your 64-bit kernel code.

14 posted on 03/24/2011 7:57:57 AM PDT by Gideon7
[ Post Reply | Private Reply | To 10 | View Replies ]

Free Republic
Browse · Search
News/Activism
Topics · Post Article


FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson