Ralph Holz <[email protected]> writes: >I have some values from our own scans - scans conducted against hosts on the >Alexa Top 1M list.
Given that that particular Diginotar CA had only issued around 700 certs in total, that means a significant fraction (at least a quarter, depending on how many undiscovered certs are still out there) of all its certs are fraudulent. Must have been someone with the knowledge of a million hackers this time round. Another point is that minting 200-250 certs isn't something you can do with a mouse click, you need to prepare all the cert requests with site-specific data customised to each site, and that takes time. They must have had the run of the CA for quite some time to get all that done. (In terms of the data that they provided, both ComodoGate and DiginotarGate have been quite valuable, ComodoGate for showing that browser vendors are willing to collude with CAs to cover up breaches, and DiginotarGate for showing that CAs are willing to hush up breaches more or less indefinitely until forced to disclose by external events outside their control. The only downside is that we really need to require CAs to choose names that work better with the -gate suffix. Something like EntrustGate I can deal with, but there's no way I'm trying EBGElektronikSertifikaHizmetSaglayicisiGate in a message). Peter. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
