Re: Detecting Certificate Authority compromises and web browser collusion

[Dean Woodbeck <woodbeck () INTERNET2 EDU>]

On Mar 24, 2011, at 2:31 PM, Jesse Thompson wrote:

> This is a very interesting article on the failure of the certificate authority model of trust.  Additionally, it's 
> worth noting that the specific breach involved Comodo, which is the CA for the new Internet2 InCommon Federation CA.

But this in no way affects nor involves the InCommon Certificate Service. Here is the information that John Krienke, 
COO of InCommon, sent to the community today:

-----------------
InCommon Certificate Service partner, Comodo, had a recent incident that has appeared in community news/blog sources, 
and there may be some questions developing.

A short summary of the story: A Comodo reseller account was compromised and some certificates were issued that could be 
used to spoof high-value websites. Comodo has revoked the certificates and communicated details of the incident in a 
blog post (see below).

Key points for us:

- This in no way affects the InCommon Certificate Service, the InCommon physical Certificate Authority (CA) systems, or 
for that matter any Comodo CA. The incident involved an account username/password issue. The security of all the Comodo 
CAs and their private keys are intact.

- I met with community experts that serve on our PKI subcommittee last night to review the facts. You can be assured 
that we're actively monitoring the situation.

- It's also worth noting that InCommon uses two-factor authentication for all of its master login accounts (passwords 
combined with physical tokens).

Comodo's blog post: http://blogs.comodo.com/it-security/data-security/the-recent-ca-compromise/

----------
Dean Woodbeck
Program Manager, InCommon
woodbeck () internet2 edu
(734) 352-7007
www.incommon.org