Free Republic
Browse · Search
News/Activism
Topics · Post Article

To: supercat
for browsers to warn any time an attempt is made to access a site for which the browser has a certificate, but which advertises a new certificate that isn't signed by the old one?

Nice idea but unfortunately certs don't work that way.

Each cert is independently signed by a higher CA. Many companies can (and do) switch CAs for various business reasons. For example I switched my company's CA from VeriSign to Thawte to save money. Under your system my new certs would not work because the new CA does not match the old one.

In PKI circles various ideas have been kicked around about to increase trustworthyness of a cert, such as co-signing or otherwise having a 3rd party vouch for the CA that signed you. Microsoft already does this to a limited extent with Authenticode-signed device drivers, which requires a Microsoft Cross-Certificate before Windows 7 will load your 64-bit kernel code.

14 posted on 03/24/2011 7:57:57 AM PDT by Gideon7
[ Post Reply | Private Reply | To 10 | View Replies ]


To: Gideon7
Each cert is independently signed by a higher CA.

Is there any ability for a cert to contain multiple signatures? Obviously one needs the CA signature, but does it have to be the only one? My thought would be that security could be greatly improved if as a matter of course certificates were signed by older versions in addition to being signed by CA's. What I'd ideally like to see would be a facility by which a certificate for foo.com could contain a notation which would mean: "Foo.com has no intention of issuing, or requesting the issuance of, any certificates before 3/24/2013 which aren't signed by the public key in this certificate. Be very very very suspicious of any certificates that claim to be from foo.com but do not have such a signature. Also [optionally], if the previous certificate from foo.com had a thumbprint other than xxx, yyy, zzz, or qqq, warn the user that the previous certificate was likely bogus."

Even if someone managed to trick a CA into issuing a bogus cert for foo.com, such a bogus cert would raise red flags if someone who had previously used a valid cert tried to use a bogus one. Also, if someone who used an undetected bogus cert subsequently tried to use a valid cert, they'd get a (somewhat belated) warning of security compromise in that situation as well.

16 posted on 03/24/2011 3:39:18 PM PDT by supercat (Barry Soetoro == Bravo Sierra)
[ Post Reply | Private Reply | To 14 | View Replies ]

Free Republic
Browse · Search
News/Activism
Topics · Post Article


FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson