Educause Security Discussion mailing list archives
Re: Detecting Certificate Authority compromises and web browser collusion
From: Jack Suess <jack () UMBC EDU>
Date: Thu, 24 Mar 2011 23:57:06 -0400
Valdis, As a preface let me say I'm on InCommon Steering. I have also been involved with the security groups at EDUCAUSE, Internet2, and the REN since we formed them in 2000. If you have been involved in getting on-boarded into the InCommon Comodo service you know InCommon has an extensive registration process to make certain it is being done properly. I read the blogs and there was criticism that Comodo should of done better. After the fact, whenever anyone has had a security incidence you realize you should of done things better. I'm not trying to defend Comodo but I also recognize the difficulty all places are facing in security (RSA is a good example you noted). The distinction between InCommon and vendors is we are much more transparent in what we do. We have a group of campus-based PKI experts that we formed as a subcommittee that reviews and defines everything InCommon does. This group is campus-based in that they all work at universities. Their recommendations role up to our Technical Advisory Committee, again all experts from higher education. When we have issues we communicate them out because we also use the products and our members are colleagues of yours and want to do what is best. Many of us have connections to the REN-ISAC and in fact we had good communication going on between Doug Pearson and the people at Internet2 on this issue. What we can say is if an issue comes up impacting higher ed we'll be right there working with the REN, EDUCAUSE, and Internet2 to get mitigations in places and communicate this to our community. I don't know if that makes you feel more at ease but I take comfort knowing that there are people in higher ed with expertise I respect involved with this and making sure it is done right. jack suess On Mar 24, 2011, at 9:42 PM, Valdis Kletnieks wrote:
On Thu, 24 Mar 2011 20:58:59 EDT, Dean Woodbeck said:On Mar 24, 2011, at 2:31 PM, Jesse Thompson wrote:This is a very interesting article on the failure of the certificate authority model of trust. Additionally, it's worth noting that the specific breach involved Comodo, which is the CA for the new Internet2 InCommon Federation CA.But this in no way affects nor involves the InCommon Certificate Service.All the same, if a vendor tells me "Oh, it's our *other* service that got pwned, not the one you're using", my gut reaction is "Good. That means I'm not automatically dead in the water. So let's take it from the top and you explain to me what steps have been taken to make sure it isn't the service I *do* use next time it happens..."- It's also worth noting that InCommon uses two-factor authentication for all of its master login accounts<snark> RSA SecureID, perchance? :) </snark>
Jack Suess UMBC VP of IT & CIO jack () umbc edu 1000 Hilltop Circle 410.455.2582 Baltimore Md, 21250 Homepage: http://bit.ly/fSB5ID Blog: http://bit.ly/felhWd
Attachment:
smime.p7s
Description:
Current thread:
- Detecting Certificate Authority compromises and web browser collusion Jesse Thompson (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Dean Woodbeck (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Valdis Kletnieks (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Jack Suess (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Jesse Thompson (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Valdis Kletnieks (Mar 25)
- Re: Detecting Certificate Authority compromises and web browser collusion Valdis Kletnieks (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Dean Woodbeck (Mar 24)