LoadWB's Journal: AT&T uses "secret" root cert to dictate s/w "compatibility"

This is a copy of the email I sent to AT&T.

A few years ago I began purchasing phones outside of Cingular's marketplace.
I found that Cingular did not carry the phones that I found useful or
attractive. A couple of years ago I picked up the Sony Ericsson K790a.
This is a CyberShot phone which does everything that I need for my personal
and business life.

Unfortunately, this phone is not an official Cingular phone. Even though it
runs the same operating system, Java Platform 7, as several other
Cingular-branded and supported phones, including several of the Sony
Ericsson W-series phones, I am prevented from making purchases online. This
includes ring tones, other multi-media, and Java games.

More importantly to me at this point is that I am prevented from using my
bank's on-line banking system because the application will not install on my
phone due to a missing root certificate.

I attempted to download the application using the link provided by my bank.
I found that the download would fail. I manually captured both the JAD and
JAR files comprising this application and discovered that the JAR file
*will* install and run on my phone, however as an untrusted application it
lacks some functionality.

Upon examination of the JAD file, I found that it contains two chained
certifications, the primary of which is signed by "Cingular Trusted Root CA"
root.

Certificate:
        Data:
                Version: 3 (0x2)
                Serial Number: 4955 (0x135b)
                Signature Algorithm: sha1WithRSAEncryption
                Issuer: C=US, O=Cingular Wireless, LLC, CN=Cingular Trusted CA 1
                Validity
                        Not Before: Nov 3 02:38:29 2007 GMT
                        Not After : Nov 1 02:38:29 2017 GMT
                Subject: C=US, ST=GA, L=Atlanta GA, O=Firethorn Holdings LLC, OU=ATT
Trusted for Java - Production, CN=CodeSigning for Firethorn Holdings LLC

Certificate:
      Data:
              Version: 3 (0x2)
              Serial Number:
                      50:3c:76:b8:74:c3:61:17:1f:2d:5f:c3:8e:af:fc:b5
              Signature Algorithm: sha1WithRSAEncryption
              Issuer: C=US, O=Cingular Wireless, LLC, CN=Cingular Trusted Root CA
              Validity
                      Not Before: Nov 3 00:00:00 2006 GMT
                      Not After : Nov 11 23:59:59 2023 GMT
              Subject: C=US, O=Cingular Wireless, LLC, CN=Cingular Trusted CA 1

The root certificate of this chain is not available anywhere for download.
I am told by Data Support that this certificate is not released to the
public and is only available on Cingular/AT&T-branded phones.

The implications are obvious to me: AT&T is preventing otherwise compatible
applications from running on unlocked phones by the use of a "secret" root
certificate. This artificially segregates the market and serves to help
reduce the overall value of my perfectly capable and compatible phone.

I can easily accept that AT&T does not know how to support unsanctioned
phones. For the most part, however, I have found that people capable of
selecting and purchasing an unlocked phone are also capable of supporting
themselves. We also can handle not being able to run Java apps which are
not capable of running on our phones.

But I cannot accept that an application which could run on my phone
otherwise is prevented from doing so artificially by way of a restricted
root certificate.

Thank you for your time.

--
Alan W. Rateliff, II