Prudential uses it (partly for its logging facilities, partly for its ACLs, partly because they know that they can control what information is shown to/used/dealt with/modified by any part of their business).
Philips uses it for internal workflow and business intelligence.
Certifying Authority keys are assets, and thus capable of being transferred. The original name might be out of business, but the keys still exist.
I don't know if there's an ongoing audit requirement in that case, though.
There's a middle ground between "entity" and "communications." Yes, it is very difficult to verify that a certificate is being issued to the entity "Bank of America," but it should not be hard to verify that you're issuing a certificate to the domain name www.bankofamerica.com. And the latter is all you need to protect against MITM.
No, it's not. Mozilla knows of at least one instance where a user on a public wifi network had communications with a TLS-secured site MITM'd, and she allowed it by creating a security exception for an unknown CA that issued a certificate to CN=*.
Comodo's "authorityInformationAccess" only provides an OCSP responder URL, not a CRL. Apple's Keychain doesn't really handle OCSP by default (you have to go into Keychain Access, go to properties, go to the Certificates tab, and select OCSP: Best Attempt).
However, that's a "soft fail" mode, and if you block the OCSP responder host, it'll still allow it both in Firefox and Safari.
Mozilla and MS have made it as difficult as possible to inspect the certificate. Safari (and Apple's Keychain Manager) make it easier, but it's still a lot of information to try to digest.
I wish you'd put your two cents in on the dev-tech-crypto@mozilla.org mailing list.
Right now, they're avoiding removing the trust bits because that would essentially mean 3 months of not being able to authenticate Comodo certificates. They claim that it's because they don't want to inconvenience the end-users, but I tend to think that they're doing it because they've been paid not to.
SSL (now TLS) does allow certificate-less operation, and has since SSLv2. In that case, the key agreement is done via ephemeral Diffie-Hellman (DH without any static/attested key).
Why do you think Microsoft stopped trusting external CAs for its updates in Vista? It runs its own in-house CA at this point, and that's the only CA that can issue certificates that can sign updates for Windows.
What we anticipate seldom occurs; what we least expect generally happens. -- Bengamin Disraeli
