Educause Security Discussion mailing list archives
Re: Detecting Certificate Authority compromises and web browser collusion
From: Dean Woodbeck <woodbeck () INTERNET2 EDU>
Date: Thu, 24 Mar 2011 20:58:59 -0400
On Mar 24, 2011, at 2:31 PM, Jesse Thompson wrote:
This is a very interesting article on the failure of the certificate authority model of trust. Additionally, it's worth noting that the specific breach involved Comodo, which is the CA for the new Internet2 InCommon Federation CA.
But this in no way affects nor involves the InCommon Certificate Service. Here is the information that John Krienke, COO of InCommon, sent to the community today: ----------------- InCommon Certificate Service partner, Comodo, had a recent incident that has appeared in community news/blog sources, and there may be some questions developing. A short summary of the story: A Comodo reseller account was compromised and some certificates were issued that could be used to spoof high-value websites. Comodo has revoked the certificates and communicated details of the incident in a blog post (see below). Key points for us: - This in no way affects the InCommon Certificate Service, the InCommon physical Certificate Authority (CA) systems, or for that matter any Comodo CA. The incident involved an account username/password issue. The security of all the Comodo CAs and their private keys are intact. - I met with community experts that serve on our PKI subcommittee last night to review the facts. You can be assured that we're actively monitoring the situation. - It's also worth noting that InCommon uses two-factor authentication for all of its master login accounts (passwords combined with physical tokens). Comodo's blog post: http://blogs.comodo.com/it-security/data-security/the-recent-ca-compromise/ ---------- Dean Woodbeck Program Manager, InCommon woodbeck () internet2 edu (734) 352-7007 www.incommon.org
Current thread:
- Detecting Certificate Authority compromises and web browser collusion Jesse Thompson (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Dean Woodbeck (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Valdis Kletnieks (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Jack Suess (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Jesse Thompson (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Valdis Kletnieks (Mar 25)
- Re: Detecting Certificate Authority compromises and web browser collusion Valdis Kletnieks (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Dean Woodbeck (Mar 24)