Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Fri Apr 9 16:44:45 PDT 2010
Sarad AV <jtrjtrjtr2001 at yahoo.com> writes:
>i also wonder what the browser policy for major browsers are when a root CA
>company is acquired by another company. Is trust automatically transfered to
>the new company?
Yes. When your CA goes bankrupt its only significant asset is often the root
CA cert(s) it owns, which get onsold to the highest bidder by the receivers.
This has occurred numerous times in the past, and some roots have been onsold
multiple times, since it's both a means of monetising the CA's remaining
assets and (usually) the cheapest way for a new CA to get their own cert.
>Will the browser keep or revoke these certificates?
Keep.
(I'm not sure whether the browser vendor will even know if it's been on-sold,
or how the vendor is supposed to know unless the new owner volunteers the
information. Also you can't really "revoke" a root, and the browser vendors
certainly can't do it, the best they can do is disable/remove it in the next
release).
Peter.
More information about the Testlist
mailing list