Prudential uses it (partly for its logging facilities, partly for its ACLs, partly because they know that they can control what information is shown to/used/dealt with/modified by any part of their business).
Philips uses it for internal workflow and business intelligence.
Certifying Authority keys are assets, and thus capable of being transferred. The original name might be out of business, but the keys still exist.
I don't know if there's an ongoing audit requirement in that case, though.
There's a middle ground between "entity" and "communications." Yes, it is very difficult to verify that a certificate is being issued to the entity "Bank of America," but it should not be hard to verify that you're issuing a certificate to the domain name www.bankofamerica.com. And the latter is all you need to protect against MITM.
No, it's not. Mozilla knows of at least one instance where a user on a public wifi network had communications with a TLS-secured site MITM'd, and she allowed it by creating a security exception for an unknown CA that issued a certificate to CN=*.
Comodo's "authorityInformationAccess" only provides an OCSP responder URL, not a CRL. Apple's Keychain doesn't really handle OCSP by default (you have to go into Keychain Access, go to properties, go to the Certificates tab, and select OCSP: Best Attempt).
However, that's a "soft fail" mode, and if you block the OCSP responder host, it'll still allow it both in Firefox and Safari.
Mozilla and MS have made it as difficult as possible to inspect the certificate. Safari (and Apple's Keychain Manager) make it easier, but it's still a lot of information to try to digest.
I wish you'd put your two cents in on the dev-tech-crypto@mozilla.org mailing list.
Right now, they're avoiding removing the trust bits because that would essentially mean 3 months of not being able to authenticate Comodo certificates. They claim that it's because they don't want to inconvenience the end-users, but I tend to think that they're doing it because they've been paid not to.
SSL (now TLS) does allow certificate-less operation, and has since SSLv2. In that case, the key agreement is done via ephemeral Diffie-Hellman (DH without any static/attested key).
Why do you think Microsoft stopped trusting external CAs for its updates in Vista? It runs its own in-house CA at this point, and that's the only CA that can issue certificates that can sign updates for Windows.
Navigate with your browser to https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fwww.mozilla.com%2F and enjoy Mozilla's new home page.
Otherwise read the article which includes screen shots.
Student tech service:
1) Provide a means and place for people to apply what they learn in class (simple webspaces, simple CGI on Apache)
2) Provide a means and place for people to learn about things they won't learn in class (WebDAV and deployment of Flash and real-world security policies)
3) Try to contact Microsoft and IBM to see about getting free copies of their software to make available for your group (as well as quotes on exactly how much they would cost if they were sold to real-world businesses), and if you have an academic advisor get them to make the inquiry for you.
4) More than anything else, become a means for students (and possibly people in the community who need help) to get the things that they need to get done
Take on the challenge of finding local nonprofits that need websites, and then find students (or teams of students) who are willing to take on those needs. Better yet, see if you can provide a list of site requirements to a web development instructor, or get the various parts of the faculty to look to you for real-world projects for their students' portfolios. (A web developer, say, to code it; a graphic-arts-for-web major to do the imagery; a back-end database guy to get real-world understanding of what the various database metrics actually mean; a project manager, to make sure everything gets done...)
Perhaps you could even go so far as to get something offered through your organization an independent CS course number for independent work.
Realistically, you know you need to make your organization non-redundant. I'm inclined to agree with the "college DJ" thing (especially if your college doesn't have a radio station, it'd be possible to build a netcasting system that would at least be available to people on your college network); I also agree with the ipv6 bridging idea (if you need an ipv6 tunnel provider, you can always email ipv6 at research.earthlink.net -- that's where I get my home tunnel from).
You have resources. You realize that your resources are being duplicated. Now, your job is to figure out how to keep your resources relevant. (I wonder if you could get business credit for trying to overhaul this -- you're basically doing what a CEO needs to do when faced with an increasingly competitive marketplace and the need to reinvent the organization.)
Above all: Good luck!
Disclaimer: "These opinions are my own, though for a small fee they be yours too." -- Dave Haynie
