[cryptography] Diginotar Lessons Learned (long)

Michael Nelson nelson_mikel at yahoo.com
Tue Sep 13 18:29:46 EDT 2011

> An alternative to cross-certification called bridge CAs [ ],
> initially known as overseer CAs when they were developed
> for the Automotive Network Exchange (ANX) program and
> which were in turn based on even earlier pre-PKI work on
> inter-realm authentication [ ][ ][ ][ ], avoids this problem to
> some degree by adding a single super-root that bridges two
> or more root CAs.
Bridges have a similar end result, as far as what you trust, to what you say.  But to clarify, a bridge is not a trusted root.  Relying parties do not install the bridge certificate as a trusted root.  They continue to use their original CA.  But now certificates from another CA can chain up through the bridge to the original trusted root.

More information about the cryptography mailing list