Tuesday, September 07, 2004

If you manage any web servers that use a Verisign SSL certificate, then you had a fairly good chance of experiencing the Verisign Intermediate CA Replacement Problem. Yes, I know that the problem has a simple solution, but having recently missed this step when deploying a new web server, I'm still a little peeved about the SSL certificate distribution and CA trust model. While I don't claim to know how to fix the model, there are a couple of things that I think are worth considering. First, I understand that a distributed trust hierarchy is required to make x.509 certificates work as a broad standard. But since there are really a limited number of root CA's trusted by the majority of web browsers, there should be more opportunity to automate the root CA and intermediate CA certificate management processes. This idea applies to both server certificate chains (as in the case mentioned above) and to client Trusted CA lists. There are a few standards (or functional sections of standards) that could be used to implement this functionality. The only problem I see is a broad acceptance of any distribution model with both the CA's and the client software. Either way, this is something that I am going to think more about in the coming weeks.