Re: Verisign CRL single point of failure

[Sean Donelan <sean () donelan com>]

On Fri, 9 Jan 2004, Stephen J. Wilcox wrote:
> I'm not sure whats involved in getting your own root certs added to browser/OS
> distributions but theres nothing afaik that says Verisign is the sole company
> providing this, presumably anyone else can agree with MS/whoever to have their
> root certs added.. ?

There is nothing that says everyone must use BIND software either.

Verisign frequently points out the risks of having critical infrastructure
distributed among several independent organzations, and how it would be
much better if a single company (i.e. Versign) controlled it.  But when
95% of the market depends on a single organization, even normal problems
are magnified.  Certificates normally expire, software normally has bugs,
operators normally make mistakes.  When those normal things happen, if
the organization controls almost all of the market, mistakes impact almost
all of the market.