Thanks Mark, that was an extremely helpful explanation. When I asked this question I was hoping to learn if CA certs are self-signed or if there is some other procedure to authenticate a CA cert as being legitimate. From your explanation it sounds like all CA certs are generated by the CA itself and then its left up to every browser vendor whether or not they want to include a particular CA's cert in its bundle.
On Tue, Jun 1, 2010 at 8:19 AM, Mark H. Wood <mw...@iupui.edu> wrote: > This should be more widely understood: an application considers a CA > trusted because some human told it so. There is no other way. > > The "recognized" CAs are trusted by e.g. your browser because the > maker of the browser decided to trust them and so put them into the > list of trusted CAs that is packed in the browser. Others have > written about the kinds of things those CAs needed to do in order to > gain that trust. If you decide that you don't trust one of them, you > can take it out and it becomes untrusted *for you*. > > If you decide to trust a CA that hasn't made the browser makers' > goodie lists, you can just install it in your browser's list of > trusted CAs and it becomes trusted *for you*. Anyone else can do that > too, with a similar result for himself. > > If any given cert. is calculated to be trusted, that means that, at > the top of the chain, it can be linked back to a cert. that someone > marked manually as trusted. Trust is not calculable without that. > > Really, the only thing protecting most people from rogue CAs is the > browser makers' understanding that they, too, are in a position of > trust, and could be hurt badly by lax acceptance practices no matter > how many disclaimers they slather onto the EULA. We should all check > and tune our browsers' trust lists. (No, I haven't.) > > -- > Mark H. Wood, Lead System Programmer mw...@iupui.edu > Balance your desire for bells and whistles with the reality that only a > little more than 2 percent of world population has broadband. > -- Ledford and Tyler, _Google Analytics 2.0_ > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
