ValiCert root cert

[Ralph Holz (TUM)]

Good day,

It has been brought to my attention (by students in our NetSec class) that ValiCert has two root certificates in the Mozilla root store. The domain that they point to is valicert.com - which is now operated by a company called Axway.

I have a few questions, and I would be grateful if someone here has the answers.

1) Was ValiCert always operated by Axway?

2) If no, is the ValiCert Root CA still operated? It is not listed under the products offered by Axway.

3) Is control over the private key/HSM assured now by the same standards that were guaranteed when ValiCert applied?

4) If ValiCert was sold to Axway, was Mozilla notified of this change?

None of these questions may lead to critical insights, but I am very happy that our students found this phenomenon, and I think they deserve answers as they may become our future security practitioners.

Ralph

[Phillip Hallam-Baker]

Tumbleweed and Valicert merged about a decade ago. For some reason it seems
that two failing tech startups that were losing money could turn a profit
if they merged.

Tumbleweed changed its name to Axway.


The relevant question would seem to be whether they have a recent audit. If
someone is going to the trouble of being audited and maintaining a CPS then
it probably means they are doing something with the root.

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>



--
Website: http://hallambaker.com/

[Rob Stradling]

Ralph, according to Kathleen's "BuiltInCAs" spreadsheet [1], the 3
ValiCert Root Certificates are currently owned by SECOM Trust Systems
Co. Ltd., GoDaddy and RSA (EMC).

[1] http://tinyurl.com/MozillaBuiltInCAs

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.

[Wayne Thayer]

I can confirm that "ValiCert Class 2 Policy Validation Authority" is included in Go Daddy's CPS and covered under the corresponding WebTrust audit.

Thanks,

Wayne

[Peter Gutmann]

"Ralph Holz (TUM)" <ralph...@gmail.com> writes:

>None of these questions may lead to critical insights, but I am very happy
>that our students found this phenomenon, and I think they deserve answers as
>they may become our future security practitioners.

It would be a good idea to point out to them that CA roots, the most valuable
thing a CA possesses once the liquidators come in, are freely (well, quietly
and discreetly) traded when the CA goes out of business, and this has been
ongoing since the dot-com bust a decade ago, with some roots being sold and
re-sold multiple times. It might be an interesting exercise for your students
to track down who currently controls what keys/roots.

(I used to buy HSM's off eBay to see what I'd find in them. I never got a
browser-trusted root, but I did get root CAs for a few government departments
and large corporates).

Peter.

[Gervase Markham]

On 14/12/12 21:55, Peter Gutmann wrote:
> It might be an interesting exercise for your students
> to track down who currently controls what keys/roots.

No need: http://tinyurl.com/MozillaBuiltInCAs

Gerv