Re: [IETF-PKIX] Multiple certificates for same key?

[Bob Jueneman <BJUENEMAN@xxxxxxxxxx>]

Tony,
>
>I am curious that no one took me up on what might be another source of
>key-overloading;  A "low-cost CA" willing to issue a narrow attribute,
>role or authorization certificate, and relying upon the existence of a
>"classy ID certificate" for its validity, the CA essentially riding
>piggy-back upon the due diligence of the more reputable CA.
>Good examples don't come to mind, but I just get a feeling...

Here's one: A company collects code signing certificates issued by
VeriSign for Netscape or Microsoft browsers, extracts the public
keys, and creates certificates granting "Pond-Scum Platinum"
status to the company which was issued the code-signing certificate.

Unfortunately, the software vendor, believing that the only exposure
which he might face in connection with the use of his certificate lay in
erroneously signing code containing bugs, has very carefully isolated
the use of the key to within the QC department, but has not implemented
any other procedures.  Now a evil malefactor in QC decides to use his
new Platinum card certificate and the code signing key to which he has
legitimate access to order a brand new Lear jet. It is charged to
the company card and is to be delivered to a small private airstrip in the
New Mexico desert. He flies off, laughing, never to be seen again.
Pond-scum Platinum says to the company, "You digitally signed
for it, ergo you bought it. What happened then isn't our concern."

The company retorts that they never requested the issuance of the certificate,
but the CA claims that the missing employee gave the verbal OK.

Bob