The need for anonymous digital certificates that protect the privacy of individuals is well-accepted, but the need for anonymous certificates from businesses and certificate authorities is often overlooked.
This issue arose during discussions at the recent eWeek Labs eValuation of PKI (public-key infrastructure) systems. Content protected by digital certificates is protected through strong encryption, but as long as certificates carry information about senders, a snoop can glean key information just by knowing what a person has chosen to protect and sign.
Because they operate as trusted authorities, anonymous certificates might seem to be a strange choice for companies and CAs (certificate authorities). However, signed certificates themselves can be revealing. For example, anyone who cares to can identify employees and trade partners of a government agency via its keys. In addition, when a digital certificate is used as a public key, a miscreant might be able to sign content with the key to make it look like information originated from an organization.
Businesses shouldnt automatically distrust content signed by an anonymous CA. It might be more trustworthy than you think.