Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Apr 9 16:44:45 PDT 2010


Sarad AV <jtrjtrjtr2001 at yahoo.com> writes:

>i also wonder what the browser policy for major browsers are when a root CA 
>company is acquired by another company. Is trust automatically transfered to 
>the new company?

Yes.  When your CA goes bankrupt its only significant asset is often the root 
CA cert(s) it owns, which get onsold to the highest bidder by the receivers. 
This has occurred numerous times in the past, and some roots have been onsold 
multiple times, since it's both a means of monetising the CA's remaining 
assets and (usually) the cheapest way for a new CA to get their own cert.

>Will the browser keep or revoke these certificates?

Keep.

(I'm not sure whether the browser vendor will even know if it's been on-sold, 
or how the vendor is supposed to know unless the new owner volunteers the 
information.  Also you can't really "revoke" a root, and the browser vendors 
certainly can't do it, the best they can do is disable/remove it in the next 
release).

Peter.





More information about the cypherpunks-legacy mailing list