[cryptography] Diginotar Lessons Learned (long)

Arshad Noor arshad.noor at strongauth.com
Wed Sep 7 20:01:20 EDT 2011

On 09/07/2011 04:13 PM, dan at geer.org wrote:

> Peter (or anyone) -- would you comment on the existence and
> practice of "bridge CAs" please?  Extra credit (as in "thank
> you") for its plausible role in public clouds.

Two of the best-known Bridge CAs are the Federal Bridge CA, a
component of the Federal PKI:

- http://www.idmanagement.gov/pages.cfm/page/Federal-PKI

and the SAFE-BioPharma Bridge CA:

- http://www.safe-biopharma.org/
- http://en.wikipedia.org/wiki/SAFE-BioPharma_Association

There may be others, but I'm not aware of them.

Their usefulness stems from the fact that they allow completely
independent PKIs to "trust" each others' digital certificates
if a long list of assumptions are satisfied.

A fundamental requirement for the establishment of such trust
is the mapping of certification policies between PKIs, and the
determination (by lawyers and PKI technologists) that they are
equivalent in practice.

While they are not "CACA"s, they facilitate "trust" between
disparate PKIs through the Bridge CA.

If a public cloud containing a collection of digital certificates
issued by a PKI, and another public cloud with a collection of
digital certificates from a second PKI, can map their policies and
practices between themselves, there is technically no reason why a
Bridge CA cannot facilitate "trust" between the two clouds.

However, depending on the business problem being addressed, there
are other - and sometimes simpler - ways to establish such trust
without the need for Bridge CA's.

Arshad Noor
StrongAuth, Inc.

More information about the cryptography mailing list