and just to make sure there is a common understanding regarding SSL cert operation ... the browser code 1) checks that the SSL server cert can be validated by ANY public key that is in the browser preloaded list (I haven't verified whether they totally ignore all of the "cert" part of these preloaded public keys ... things like expiration date ... that these preloaded public keys are in the preloaded list appears to be sufficient ... details like the preloaded public keys happened to be wrappered in these certificate containers is almost extraneous). 2) validates the signature on the SSL server cert with the corresponding public key 3) checks if the website domain/host name is the same (or in some cases similar) to the domain/host name specificed in the SSL server cert. I have noticed that browsers tend to pretty much ignore the contents of these SSL server certificates ... things like expiration date ... except the public key, the domain/host name, and the signature (and the signature only has real meaning within the context of the infrastructure associated with the public key in the preloaded list with the lowest trust/integrity level; this is analogous to security weakest link ... a bank vault with a 4ft think vault door doesn't do much good if the vault has no walls). 4) uses the public key in the SSL server cert to validate communication with the server. all of this happens automagically from most users' standpoint (probably less than one percent of the population even knows that there is such a thing as a preload list). pgut001@cs.auckland.ac.nz on 7/10/2002 at 9:12 pm wrote: Both Netscape 6 and MSIE 5 contain ~100 built-in, automatically-trusted CA certs. * Certs with 512-bit keys. * Certs with 40-year lifetimes. * Certs from organisations you've never heard of before ("Honest Joe's Used Cars and Certificates"). * Certs from CAs with unmaintained/moribund websites ("404.notfound.com"). These certs are what controls access to your machine (ActiveX, Java, install- on-demand, etc etc). * It takes 600-700 mouse clicks to disable these certs to leave only CAs you really trust. (The above information was taken from "A rant about SSL, oder: die grosse Sicherheitsillusion" by Matthias Bruestle, presented at the KNF-Kongress 2002).
Why is not someone else issuing certificates?
How many more do you need? Peter.