up/home
X.509-formatted public encryption/signing keys can either be self-signed or
signed by a Certificate Authority (CA) which certifies the identity of the
keyholder to some extent. The keys of many CAs are embedded in web browsers
and distributed with TLS-enabled (SSL is the old standard) applications.
Like all public cryptography keys, the keys of CAs should be verified by
confirming their fingerprints with the keyholders. Browsers that have such
CA keys embedded in them are usually not distributed securely, which makes
the keys effectively unverified and leaves the browser itself open to being
trojaned. Other applications that distribute CA's keys often do so without
verifying, or even providing information on how to verify, the keys. Also,
many software vendors include the keys of some CAs but not others. The
following is a list of several CAs, their keys/certificates/revocations,
and their contact information, to make verifying their public keys easier.
name (primary country, note):
- Baltimore CyberTrust (.ie, commercial)
(NB: SSL site bogus/reassigned, non-SSL site rearranged/stripped, root certs sold to beTRUSTed?)
keys: https://www.baltimore.com/OmniRoot/RootCenter/Agreement.asp
call: https://www.baltimore.com/contactus/
home: https://www.baltimore.com/
- BelSign
see GlobalSign (deprecated: http://www.belsign.be/)
- beTRUSTed (.us, commercial)
keys: https://www.betrusted.com/rootcertificates/download.html
call: https://www.betrusted.com/aboutus/contactus/index.asp
home: https://www.betrusted.com/
- CAcert (.au, free/low-cost)
keys: https://www.cacert.org/index.php?id=16
call: https://www.cacert.org/index.php?id=28
home: https://www.cacert.org/
- Certum (.pl, commercial)
CRLs: https://crl.certum.pl/
keys: https://www.certum.pl/en/eng/products/keys/
call: https://www.certum.pl/english/eng/contact/addresses/
home: https://www.certum.pl/
- CREN (.us, only for member educational institutions)
keys: http://www.cren.net/crenca/cren_root/getrepcert.crt
call: http://www.cren.net/cren/contact.html
home: http://www.cren.net/
- Deutsche Telekom (.de, commercial)
keys: https://wwwca.telesec.de/Pub_Cert/T_Root_CA1_akz/DownLoadDTRoot.html
home: https://wwwca.telesec.de/
- Digital Signature Trust (.us, commercial)
keys: http://www.digsigtrust.com/wwwapps/roots.html
call: http://www.digsigtrust.com/company/contact.html
home: http://www.digsigtrust.com/
- Entrust (.us, commercial)
keys: http://www.entrust.net/developer/index.htm
call: http://www.entrust.net/contact/index.htm
home: http://www.entrust.net/
- Equifax
see GeoTrust (deprecated: http://www.equifaxsecure.com/)
- GlobalSign (.be, commercial)
keys: https://www.globalsign.net/securedby/check/
call: https://www.globalsign.net/company/contact.cfm
home: https://www.globalsign.net/
- GeoTrust (.us, commercial)
keys: https://www.geotrust.com/resources/root_certificates/index.htm
call: https://www.geotrust.com/contact/contact.htm
home: https://www.geotrust.com/
- GTE CyberTrust
see Baltimore CyberTrust (deprecated: https://www.cybertrust.gte.com/)
- KMD (.dk, commercial)
keys: https://www.kmd-ca.dk/KMD-CA-Server.crt and https://www.kmd-ca.dk/rodcert/KMD-CA-KPerson.crt
call: https://www.kmd-ca.dk/kontakt.htm
home: https://www.kmd-ca.dk/
- Posten (Norway Post) (.no, commercial)
home: http://www.posten.no/ ?
- RSA Data Security
see VeriSign
- Thawte (owned by VeriSign) (.za, commercial, some free personal certs)
CRLs: https://www.thawte.com/cgi/lifecycle/roots.exe
keys: https://www.thawte.com/html/SUPPORT/server/softwaredocs/trustmap.html
call: https://www.thawte.com/html/CORPORATE/popups/contacts.html
home: https://www.thawte.com/
- TrustCenter (.de, commercial, some free personal certs)
CRLs: https://www.trustcenter.de/cgi-bin/CRL.cgi?language=en
keys: https://www.trustcenter.de/company/fingerprints/en/en.htm and
https://www.trustcenter.de/certservices/cacerts/en/en.htm
call: https://www.trustcenter.de/contact/en/en.htm
home: https://www.trustcenter.de/
- USPS (United States Postal Service) (.us, commercial)
dead.
home: http://www.usps.com/cps/
- ValiCert (.us, commercial)
keys: https://www.valicert.com/certificates.html
call: https://www.valicert.com/corporate/contact.html
home: https://www.valicert.com/
- VeriSign (.us, commercial)
CRLs: https://www.verisign.com/repository/crl.html
keys: https://www.verisign.com/repository/root.html
call: https://www.verisign.com/corporate/about/contact/
home: https://www.verisign.com/
--
Jason Harris
up/home
$Date: 2004/11/15 23:11:19 $