Educause Security Discussion mailing list archives
Re: Detecting Certificate Authority compromises and web browser collusion
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Thu, 24 Mar 2011 21:42:09 -0400
On Thu, 24 Mar 2011 20:58:59 EDT, Dean Woodbeck said:
On Mar 24, 2011, at 2:31 PM, Jesse Thompson wrote:This is a very interesting article on the failure of the certificate authority model of trust. Additionally, it's worth noting that the specific breach involved Comodo, which is the CA for the new Internet2 InCommon Federation CA.But this in no way affects nor involves the InCommon Certificate Service.
All the same, if a vendor tells me "Oh, it's our *other* service that got pwned, not the one you're using", my gut reaction is "Good. That means I'm not automatically dead in the water. So let's take it from the top and you explain to me what steps have been taken to make sure it isn't the service I *do* use next time it happens..."
- It's also worth noting that InCommon uses two-factor authentication for all of its master login accounts
<snark> RSA SecureID, perchance? :) </snark>
Attachment:
_bin
Description:
Current thread:
- Detecting Certificate Authority compromises and web browser collusion Jesse Thompson (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Dean Woodbeck (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Valdis Kletnieks (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Jack Suess (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Jesse Thompson (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Valdis Kletnieks (Mar 25)
- Re: Detecting Certificate Authority compromises and web browser collusion Valdis Kletnieks (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Dean Woodbeck (Mar 24)