Hi, > yep, DFN is a 'private' sub-CA under tight control but it could still be > attacked the way diginotar was and though I believe their secuity is a > lot better than their less fortunate Dutch cousins, a successful attack > would be just as bad.
That is true for any CA, sub-* or not. The important point is where the private key is kept. In the case of the DFN, the 'many subCAs' are actually RAs without signing capacity. I'd be much more worried about some resellers of the very popular CAs. Anyone remember Comodo's InstantSSL reseller? Ralph -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
