On Thu, Mar 31, 2011 at 07:15:58PM +0200, Reindl Harald wrote:
> Am 31.03.2011 18:39, schrieb dchil...@bestmail.us:
>
> > Just for reference for other users, I've 'real' wildcard SSL certs for
> > $99/yr from Comodo.
>
> throw them away, another two CA's from them are compromised and the
> naive CTO says
No need to panic, many a security company has had succumbed to targetted
attack, the recent RSA Securid hack comes to mind.
Provided relying parties don't drop the Comodo root CA from their trusted
CA list, one does not gain any security from switching to a different
provider. The X.509 trusted CA model is only as strong as the weakest
CA, likely Comodo is neither strongest, nor weakest, rather they are
"in the news".
Threats to the CA infrastructure are part of the CA bargain. Verisign
issued some fake Microsoft certs some years back when an account got
broken into.
No CA is going to be perfect.
> "... but what we had not done was adequately consider the new (to us)
> threat model of the RA being the subject of a targeted attack and
> entirely compromised."
>
> i can not remember that i ever heard a more naive argument
They'll beef up the security of the RAs, the arms-race will continue.
--
Viktor.
