X.509-formatted public encryption/signing keys can either be self-signed or signed by a Certificate Authority (CA) which certifies the identity of the keyholder to some extent. The keys of many CAs are embedded in web browsers and distributed with TLS-enabled (SSL is the old standard) applications. Like all public cryptography keys, the keys of CAs should be verified by confirming their fingerprints with the keyholders. Browsers that have such CA keys embedded in them are usually not distributed securely, which makes the keys effectively unverified and leaves the browser itself open to being trojaned. Other applications that distribute CA's keys often do so without verifying, or even providing information on how to verify, the keys. Also, many software vendors include the keys of some CAs but not others. The following is a list of several CAs, their keys/certificates/revocations, and their contact information, to make verifying their public keys easier.

name (primary country, note):

• Baltimore CyberTrust (.ie, commercial)
  
  (NB: SSL site bogus/reassigned, non-SSL site rearranged/stripped, root certs sold to beTRUSTed?)
  keys: https://www.baltimore.com/OmniRoot/RootCenter/Agreement.asp
  call: https://www.baltimore.com/contactus/
  home: https://www.baltimore.com/
  
  
• BelSign
  
  see GlobalSign (deprecated: http://www.belsign.be/)
  
  
• beTRUSTed (.us, commercial)
  
  keys: https://www.betrusted.com/rootcertificates/download.html
  call: https://www.betrusted.com/aboutus/contactus/index.asp
  home: https://www.betrusted.com/
  
  
• CAcert (.au, free/low-cost)
  
  keys: https://www.cacert.org/index.php?id=16
  call: https://www.cacert.org/index.php?id=28
  home: https://www.cacert.org/
  
  
• Certum (.pl, commercial)
  
  CRLs: https://crl.certum.pl/
  keys: https://www.certum.pl/en/eng/products/keys/
  call: https://www.certum.pl/english/eng/contact/addresses/
  home: https://www.certum.pl/
  
  
• CREN (.us, only for member educational institutions)
  
  keys: http://www.cren.net/crenca/cren_root/getrepcert.crt
  call: http://www.cren.net/cren/contact.html
  home: http://www.cren.net/
  
  
• Deutsche Telekom (.de, commercial)
  
  keys: https://wwwca.telesec.de/Pub_Cert/T_Root_CA1_akz/DownLoadDTRoot.html
  home: https://wwwca.telesec.de/
  
  
• Digital Signature Trust (.us, commercial)
  
  keys: http://www.digsigtrust.com/wwwapps/roots.html
  call: http://www.digsigtrust.com/company/contact.html
  home: http://www.digsigtrust.com/
  
  
• Entrust (.us, commercial)
  
  keys: http://www.entrust.net/developer/index.htm
  call: http://www.entrust.net/contact/index.htm
  home: http://www.entrust.net/
  
  
• Equifax
  
  see GeoTrust (deprecated: http://www.equifaxsecure.com/)
  
  
• GlobalSign (.be, commercial)
  
  keys: https://www.globalsign.net/securedby/check/
  call: https://www.globalsign.net/company/contact.cfm
  home: https://www.globalsign.net/
  
  
• GeoTrust (.us, commercial)
  
  keys: https://www.geotrust.com/resources/root_certificates/index.htm
  call: https://www.geotrust.com/contact/contact.htm
  home: https://www.geotrust.com/
  
  
• GTE CyberTrust
  
  see Baltimore CyberTrust (deprecated: https://www.cybertrust.gte.com/)
  
  
• KMD (.dk, commercial)
  
  keys: https://www.kmd-ca.dk/KMD-CA-Server.crt and https://www.kmd-ca.dk/rodcert/KMD-CA-KPerson.crt
  call: https://www.kmd-ca.dk/kontakt.htm
  home: https://www.kmd-ca.dk/
  
  
• Posten (Norway Post) (.no, commercial)
  
  home: http://www.posten.no/ ?
  
  
• RSA Data Security
  
  see VeriSign
  
  
• Thawte (owned by VeriSign) (.za, commercial, some free personal certs)
  
  CRLs: https://www.thawte.com/cgi/lifecycle/roots.exe
  keys: https://www.thawte.com/html/SUPPORT/server/softwaredocs/trustmap.html
  call: https://www.thawte.com/html/CORPORATE/popups/contacts.html
  home: https://www.thawte.com/
  
  
• TrustCenter (.de, commercial, some free personal certs)
  
  CRLs: https://www.trustcenter.de/cgi-bin/CRL.cgi?language=en
  keys: https://www.trustcenter.de/company/fingerprints/en/en.htm and https://www.trustcenter.de/certservices/cacerts/en/en.htm
  call: https://www.trustcenter.de/contact/en/en.htm
  home: https://www.trustcenter.de/
  
  
• USPS (United States Postal Service) (.us, commercial)
  
  dead.
  
  home: http://www.usps.com/cps/
  
  
• ValiCert (.us, commercial)
  
  keys: https://www.valicert.com/certificates.html
  call: https://www.valicert.com/corporate/contact.html
  home: https://www.valicert.com/
  
  
• VeriSign (.us, commercial)
  
  CRLs: https://www.verisign.com/repository/crl.html
  keys: https://www.verisign.com/repository/root.html
  call: https://www.verisign.com/corporate/about/contact/
  home: https://www.verisign.com/
  

--
Jason Harris

$Date: 2004/11/15 23:11:19 $