Educause Security Discussion mailing list archives

Re: Detecting Certificate Authority compromises and web browser collusion

From: Jesse Thompson <jesse.thompson () DOIT WISC EDU>
Date: Thu, 24 Mar 2011 23:21:46 -0500

On 3/24/11 7:58 PM, Dean Woodbeck wrote:


On Mar 24, 2011, at 2:31 PM, Jesse Thompson wrote:

This is a very interesting article on the failure of the certificate
authority model of trust. Additionally, it's worth noting that the
specific breach involved Comodo, which is the CA for the new Internet2
InCommon Federation CA.


But this in no way affects nor involves the InCommon Certificate
Service. Here is the information that John Krienke, COO of InCommon,
sent to the community today:

Yes, I know. I didn't mean to make any assertions about the security ofInCommon or Comodo (I use InCommon certificates too!).

I made the "note of interest" merely because, in most cases, securitythreats become more real to us humans when they hit close to home.

I was more interested in pointing out the author's points about how thecertificate authority model of trust is broken in general.

-----------------
InCommon Certificate Service partner, Comodo, had a recent incident that
has appeared in community news/blog sources, and there may be some
questions developing.

A short summary of the story: A Comodo reseller account was compromised
and some certificates were issued that could be used to spoof high-value
websites. Comodo has revoked the certificates and communicated details
of the incident in a blog post (see below).

Although, I do find it interesting that "Comodo has revoked thecertificates" carries little weight if you follow the author's argumentthat the certificate revocation system is ineffective.


Jesse

Key points for us:

- This in no way affects the InCommon Certificate Service, the InCommon
physical Certificate Authority (CA) systems, or for that matter any
Comodo CA. The incident involved an account username/password issue. The
security of all the Comodo CAs and their private keys are intact.

- I met with community experts that serve on our PKI subcommittee last
night to review the facts. You can be assured that we're actively
monitoring the situation.

- It's also worth noting that InCommon uses two-factor authentication
for all of its master login accounts (passwords combined with physical
tokens).

Comodo's blog post:
http://blogs.comodo.com/it-security/data-security/the-recent-ca-compromise/

----------
Dean Woodbeck
Program Manager, InCommon
woodbeck () internet2 edu <mailto:woodbeck () internet2 edu>
(734) 352-7007
www.incommon.org <http://www.incommon.org>

Current thread:

Detecting Certificate Authority compromises and web browser collusion Jesse Thompson (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Dean Woodbeck (Mar 24)
  - Re: Detecting Certificate Authority compromises and web browser collusion Valdis Kletnieks (Mar 24)
    - Re: Detecting Certificate Authority compromises and web browser collusion Jack Suess (Mar 24)
  - Re: Detecting Certificate Authority compromises and web browser collusion Jesse Thompson (Mar 24)
    - Re: Detecting Certificate Authority compromises and web browser collusion Valdis Kletnieks (Mar 25)