The Bridge CA Enigma

["Anders Rundgren" <anders.rundgren@telia.com>]

I have since its conception, followed the development of Bridge CAs.

 

The Bridge CA concept essentially builds on the idea that a set of parties belonging to a "sector", together fund and run a Bridge CA.   To make it useful, the parties should also agree on a limited set of policies.

 

Why do you actually need Bridges?  To create large zones of interoperable trust .

 

To date, it seems that there is a sole entity in the world, the US Government, that have succeeded not only creating, but to some extent also using a bridge CA.

 

The following paper, shows how the US government assumes that competitors within the private enterprise sector will unite on bridge CAs: http://csrc.nist.gov/pki/documents/B2B-article.pdf

 

A question that begs for an answer: If the above plan doesn't work as planned, how should/will the PKI community proceed in order to create interoperability for B2B and similar?

 

It would be interesting hearing your thoughts on this.

 

That the interoperability problem is for real is without doubt the case; if every company runs their own CA (why shouldn't they?), each B2B party will have to manually administer 100-100000 of more or less unknown trust anchors.  It is in this context important to realize that the primary motive for running an enterprise PKI, is for securing internal operations which of course works fine, since there is just one trust anchor to administer and it comes from a trusted source.  That is, the needs of external parties do not have first-hand priority.

 

Anders Rundgren

 

It is also worth noting that Financial Industry, have managed to create secure, globally interoperable payment networks without even touching certificate policies for bank employees.