quis custodiet ipsos custodes?

The unauthorized certificate was created after a Trusted Root certificate authority in Turkey, Turktrust, issued intermediate Certificate Authority certificates to two entities last year that should not have received them. Turktrust told Google that it issued the two CA certificates by mistake, inadvertently giving the two entities certificate authority status.

The point of the Certificate Authority is to be a trusted third party, validating that the owner of a certificate is entitled to be the owner of that certificate. The problem lies in allowing a CA to subdelegate that authority – and to not have checked that subdelegation was appropriate.

Some form of cross-check – possibly, the requirement that any CA be vetted by at least two other CAs – is clearly appropriate.

Comments are closed.