Peter Gutmann wrote, quoting Matthias Bruestle:
Both Netscape 6 and MSIE 5 contain ~100 built-in, automatically-trusted CA certs.
* Certs with 512-bit keys.
* Certs with 40-year lifetimes.
* Certs from organisations you've never heard of before ("Honest Joe's Used Cars and Certificates").
* Certs from CAs with unmaintained/moribund websites ("404.notfound.com").
One thing to keep in mind is that the name of the CA on the pre-installed root cert in some cases will bean no relation to the actual issuer of the cert. Just because the business of some.trusted.ca.nil has gone under does not mean their root keys are out of circulation. "Trusted roots" have long been bought and sold on the secondary market as any other commodity. For surprisingly low amounts, you too can own a trusted root that comes pre-installed in >95% of all web browsers deployed. In fact, it is considerably more expensive for an aspiring public CA provider to incur the costs of policies and procedures development, equipment expenditures, auditing cost, etc. required to have a root added to browsers nowadays than it is to just buy an existing trusted CA's Chrysalis or nCipher HSM. --Lucky --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com