* Crist Clark:
Any large, well funded national-level intelligence agency almost certainly has keys to a valid CA distributed with any browser or SSL package. It would be trivial for the US Gov't (and by extension, the whole AUSCANNZUKUS intelligence community) to simply form a shell company CA that could get a trusted cert in the distros or enlist a "legit" CA to do their patriotic duty (along with some $$$) and give up a key.
I think this is far too complicated. You just add your state PKI to the browsers, and the CPS does not require any checks on the Common Name, to verify it's actually somehow controlled by the certificate holder. Curiously, such CAs can pass Webtrust audits. Now I'm a realist and assume that the bureaucrats involved are just too incompetent to write a proper CPS (and the auditors to lazy to notice). Authoring policies and paying attention to detail, should be second nature to them, but somehow I doubt that the FPKI (say) issues certificates for non-federal entities to help with ongoing FBI investigations. (Same for the German government agencies who actually managed to get Mozilla approval for their non-CN-checking CAs.) -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99