[cryptography] Diginotar Lessons Learned (long)

Lucky Green shamrock at cypherpunks.to
Wed Sep 7 20:59:51 EDT 2011

On 2011-09-07 16:13, dan at geer.org wrote:
> Peter (or anyone) -- would you comment on the existence and
> practice of "bridge CAs" please?  Extra credit (as in "thank
> you") for its plausible role in public clouds.

Bridge CAs serve to graft a new top-level root above a preexisting set
of root CAs. Bridge CAs practical purpose is generally to facilitate PKI
adoption in a particular industry vertical or geographical region.

An example of a bridge CA would be the aerospace bridge CA Certipath. It
bridges the Federal Bridge CA (issuing certs to federal employees, a
large customer of the aerospace industry) and various CAs trusted by
aerospace companies, such as CAs operated by Boeing, Lockheed Martin,
Raytheon, and EADS.

Bridge CAs permit existing customers of a particular CA to continue to
obtain certificates from the CA to which they are accustomed while
equally trusting certificates issued by all other CAs that are part of
the Bridge.

You can analyze Bridge CAs in a number of dimensions. Some of the most
popular dimensions for analysis are risk management and marketing.

>From a risk management perspective, the Bridge CA levels the risk
playing field to the lowest common denominator. If DoD, Lockheed,
Boeing, and EDAS all trust certs that chain to the Bridge CA, then a
hacker or rogue employee that gains control of the EADS root CA can
issue certs to Iranian hackers that Lockheed employees'
certificate-consuming software will believe belong to a DoD contract
administrator asking for copies of blueprints for Lockheed's newest
fighter aircraft.

>From a marketing perspective (which does not apply to the specific
example of Certipath, but does apply to other bridge CAs), a bridge
allows all CAs in the bridge pool to issue certs to customers previously
captive to a particular CA participating in the pool.

>From a cloud perspective, a cloud Bridge CA has a straight-forward
effect. The more entities participate in a cloud Bridge CA, the more
nebulous security becomes.

--Lucky Green

More information about the cryptography mailing list