Re: Verisign CRL single point of failure

[Sean Donelan <sean () donelan com>]

On Fri, 9 Jan 2004, Jeff Shultz wrote:
> So there appear to be alternatives to VeriSign (why is it that most of
> these companies have two capitals in their names?). I do remember
> seeing someone elsewhere complaining that he'd been trying to get his
> root cert added to Mozilla for two years now, so it may not be all that
> simple.

Yep, and several Universities have their own root certificates their
campus users can add to their local browsers independent of other CA's.

Nevertheless, several SSL surveys say Verisign (and Verisign controlled
companies) control a super-majority of the certificates actively in use
on the Internet.  So if you are a critical infrastructure planner, you
need to balance whether you use the domainant market player or several
different CA's, or try to be your own CA.

You may even want to obtain certificates from two different CA's in
case one of them fails.