Re: Chinese root CA issues rogue/fake certificates

[George William Herbert <george.herbert () gmail com>]

> On Sep 1, 2016, at 3:19 AM, Stephane Bortzmeyer <bortzmeyer () nic fr> wrote:
>
> On Thu, Sep 01, 2016 at 11:36:57AM +1000,
> Matt Palmer <mpalmer () hezmatt org> wrote 
> a message of 45 lines which said:
>
> > I'd be surprised if most business continuity people could even name
> > their cert provider,
>
> And they're right because it would be a useless information: without
> DANE, *any* CA can issue a certificate for *your* domain, whether you
> are a client or not.

It's relevant for a different reason; CA health needs to be monitored, and multiple CAs can (should) be used in case CA 
A's recognition gets pulled or a catastrophe happens.  Having certs from CA B then gets you going either immediately 
(if you actively use both) or rapidly (if you need to replace certs on web / services front end).  Getting new ones 
from CA B in a hurry can be a major deal.


Sent from my iPhone