nanog mailing list archives
Re: SSL Certificates
From: Jimmy Hess <mysidia () gmail com>
Date: Thu, 16 Feb 2012 00:57:25 -0600
On Wed, Feb 15, 2012 at 6:49 PM, George Herbert <george.herbert () gmail com> wrote:
On Wed, Feb 15, 2012 at 4:17 PM, John Levine <johnl () iecc com> wrote: The problem with anything related to Verisign at the moment is that
The possibility of their root certs being compromised is nonzero.
The possibility of _ANY_ CA's root certs having been compromised is non-zero. There's no evidence published to indicate Verisign's CA key has been compromised, and it's highly unlikely. Just as there's no evidence of other CAs' root certificate keys being compromised.
There may be no problem; they also may be completely worthless. Until there's full disclosure...
[snip] They are not completely worthless until revoked, or distrusted by web browsers. There is a risk that any CA issued SSL certificate signed by _any_ CA may be worthless some time in the future, if the CA chosen is later found to have issued sufficient quantities fraudulent certificates, and sufficiently failed in their duties. I suppose if you buy a SSL certificate, you should be looking for your CA to have insurance to reimburse the cost of the certificate should that happen, and an ironclad "refund" clause in the agreement/contract under which a SSL cert is issued E.g. A guarantee such that the CA will refund the complete certification fee, or pay for the replacement of the SSL certificate with a new valid certificate issued by another fully trusted CA, and compensate for any tangible loss, resulting from the CA's signing certificate being marked as untrusted by major browsers, revoked, or removed from major browsers' trust list, due to any failure on the CA's part or compromise of their systems, resulting in loss of trust. -- -JH
Current thread:
- Re: SSL Certificates Ask Bjørn Hansen (Feb 15)
- Re: SSL Certificates John Levine (Feb 15)
- Re: SSL Certificates George Herbert (Feb 15)
- Re: SSL Certificates Jimmy Hess (Feb 15)
- Re: SSL Certificates John R. Levine (Feb 16)
- Re: SSL Certificates Christopher Morrow (Feb 16)
- Re: SSL Certificates John R. Levine (Feb 16)
- Re: SSL Certificates Jeroen Massar (Feb 16)
- Re: SSL Certificates startssl.com James Triplett (Feb 16)
- Re: SSL Certificates George Herbert (Feb 15)
- Re: SSL Certificates Leo Bicknell (Feb 16)
- Re: SSL Certificates John Levine (Feb 16)
- Re: SSL Certificates John Levine (Feb 15)
- Re: SSL Certificates George Herbert (Feb 16)