How to prove a Root Certificate

When a company establishes a PKI they usually publish their Root Certificate on their web site. Often they publish cryptographic hashes of the Root Certificate so that people who download it can verify that it has not been tampered with. The problem is that if anyone was able to tamper with the published Root Certificate (by compromise of the web page or a man in the middle attack) then they would also be able to tamper with the published hashes. 

I was involved in establishing a PKI and that set me thinking about how best to prove the authenticity of the Root Certificate. There are several ways. An obvious one is to use SSL on the web page. Another is to publish the hashes on multiple web sites, like this blog for example. So, here they are:    Root Certificate hashes   

Another way is to have the Root Certificate signed by an external key, such as the PGP Digital Timestamping Service and then publish the signature like this  root-certificate-timestamp.asc  

Here is the signature from another timestamping service TimeMarker    timemarkerorg_marker.pgp 

They also offer a service to timestamp a URL link and here is the result  timemarkerorg.zip

Leave a Reply

You must be logged in to post a comment.