Re: RSA vs AES
From: Anne & Lynn Wheeler (lynn_at_garlic.com)
Date: 09/01/03
- Next message: Scott Contini: "Re: Factoring program"
- Previous message: George Ou: "Re: RSA vs AES"
- In reply to: George Ou: "Re: RSA vs AES"
- Next in thread: George Ou: "Re: RSA vs AES"
- Reply: George Ou: "Re: RSA vs AES"
- Reply: Anne & Lynn Wheeler: "Re: RSA vs AES"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 31 Aug 2003 23:34:50 GMT
George Ou <533george_ou234@netzero234.com> writes:
> In the case of a simple stolen MS code signing certificate from
> Verisign, MS took the extra burden of issuing a critical patch to
> revoke that stolen cert. What do you think would happen if one of
> Verisign's root CA private key's were somehow miraculously
> compromised? Don't you think it would be all over the news? Would
> you be so foolish to think the security or PKI industry would simply
> rely on people checking the CRLs? No way! It would be all over the
> news and just about every security site would be telling you to revoke
> those stolen root CAs. MS would issue a patch for all windows OSes.
> It would be the biggest news item for weeks to come! Verisign would
> loose all credibility and the PR disaster could kill Verisign. It
> would be 1000 times more damaging than that stolen MS code signing
> cert!
the small caveate is that browsers have easily some fifty pre-loaded
root CA keys .... in some cases for companies that may no longer be in
business. It isn't clear how long it would take for anyone to notice
if any of these other keys ever got compromised ... or even if
somebody questionable bought all the corporate assets at a fire sale.
in the existing ssl browser scenario there is no differentiation regarding
trust levels for preloaded root CA keys.
some old threads about what root CA keys may actually be preloaded
into browsers:
http://www.garlic.com/~lynn/aepay4.htm#comcert14 Merchant Comfort Certificates
http://www.garlic.com/~lynn/aepay4.htm#comcert16 Merchant Comfort Certificates
netscape 7.1 & mozilla 1.4 cerificate managers don't allow cut & past
.... so the hard way (following organizations have one or more public
keys preloaded, list of public keys for 7.1 & 1.4 are the same):
Keywitness Canada Inc
ABA ECOM, Inc
AOL, Time Warner Inc
AT&T
AddTrust AB
American Online, Inc
American Express Company, Inc
BBN Certificate Services
Baltimore
BetSign NV
Canada Post Corporation
CertSign Certicadora
CyberTrust Japan
Deutsche Telecom AG
Digital Signature Trust
E-Certify
Entrust.net
Equifax
Equifax Secure
Equafax Secure Inc
GTE CyberTrust
GeoTrust Inc
GlobalSign nv-sa
IBM World Registry
Integrion Financial Network
MCI
RSA Data Security
RSA Security
TC TrustCenter for Security In Data Networks
Thawte
Thawte Consulting
Thawte Consulting cc
The USERTRUST Network
USPS
Uptime Group
VISA
ValiCert
VeriSign Trust Network
VeriSign, Inc
Xcert EZ
beTRUSTed
gc
-- Anne & Lynn Wheeler | http://www.garlic.com/~lynn/ Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
- Next message: Scott Contini: "Re: Factoring program"
- Previous message: George Ou: "Re: RSA vs AES"
- In reply to: George Ou: "Re: RSA vs AES"
- Next in thread: George Ou: "Re: RSA vs AES"
- Reply: George Ou: "Re: RSA vs AES"
- Reply: Anne & Lynn Wheeler: "Re: RSA vs AES"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
