Trent W. Buck <trentbuck@gmail.com> wrote:
Nitpick: you're talking about X.509, not TLS.
Even in X.509, there is provision for bridging certificates, cross-certificates, etc. I haven't investigated how these work; they aren't equivalent to a PGP- style web of trust, but I understand that CAs can certify each other.
The farthest I have come along this road was to create my own CA and to issue certificates for my hosts.
To load a driver into a 64 bit Windows kernel (except for 2003) it has to be signed, and it has to be signed by a certificate that chains back to Microsoft's CA, which means you also have to use one of the Microsoft cross-certificates (which limits your choice of CA although there is a large number to choose from now). In addition you need to have the driver signed by a recognised timestamp server to prove that your binary was signed during the time that your certificate was valid (unless you want the binary to expire with the certificate). Given that all that is possible and not even really difficult I assume that what you are saying is achievable. James