Educause Security Discussion mailing list archives
Re: Detecting Certificate Authority compromises and web browser collusion
From: Jesse Thompson <jesse.thompson () DOIT WISC EDU>
Date: Thu, 24 Mar 2011 23:21:46 -0500
On 3/24/11 7:58 PM, Dean Woodbeck wrote:
On Mar 24, 2011, at 2:31 PM, Jesse Thompson wrote:This is a very interesting article on the failure of the certificate authority model of trust. Additionally, it's worth noting that the specific breach involved Comodo, which is the CA for the new Internet2 InCommon Federation CA.But this in no way affects nor involves the InCommon Certificate Service. Here is the information that John Krienke, COO of InCommon, sent to the community today:
Yes, I know. I didn't mean to make any assertions about the security of InCommon or Comodo (I use InCommon certificates too!).
I made the "note of interest" merely because, in most cases, security threats become more real to us humans when they hit close to home.
I was more interested in pointing out the author's points about how the certificate authority model of trust is broken in general.
----------------- InCommon Certificate Service partner, Comodo, had a recent incident that has appeared in community news/blog sources, and there may be some questions developing. A short summary of the story: A Comodo reseller account was compromised and some certificates were issued that could be used to spoof high-value websites. Comodo has revoked the certificates and communicated details of the incident in a blog post (see below).
Although, I do find it interesting that "Comodo has revoked the certificates" carries little weight if you follow the author's argument that the certificate revocation system is ineffective.
Jesse
Key points for us: - This in no way affects the InCommon Certificate Service, the InCommon physical Certificate Authority (CA) systems, or for that matter any Comodo CA. The incident involved an account username/password issue. The security of all the Comodo CAs and their private keys are intact. - I met with community experts that serve on our PKI subcommittee last night to review the facts. You can be assured that we're actively monitoring the situation. - It's also worth noting that InCommon uses two-factor authentication for all of its master login accounts (passwords combined with physical tokens). Comodo's blog post: http://blogs.comodo.com/it-security/data-security/the-recent-ca-compromise/ ---------- Dean Woodbeck Program Manager, InCommon woodbeck () internet2 edu <mailto:woodbeck () internet2 edu> (734) 352-7007 www.incommon.org <http://www.incommon.org>
Current thread:
- Detecting Certificate Authority compromises and web browser collusion Jesse Thompson (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Dean Woodbeck (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Valdis Kletnieks (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Jack Suess (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Jesse Thompson (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Valdis Kletnieks (Mar 25)
- Re: Detecting Certificate Authority compromises and web browser collusion Valdis Kletnieks (Mar 24)
- Re: Detecting Certificate Authority compromises and web browser collusion Dean Woodbeck (Mar 24)