Ralph Holz h...@net.in.tum.de writes:
I have some values from our own scans - scans conducted against hosts on the
Alexa Top 1M list.
Given that that particular Diginotar CA had only issued around 700 certs in
total, that means a significant fraction (at least a quarter, depending on how
many
[Peter Gutmann pgut...@cs.auckland.ac.nz (2011-09-02 15:02:42 UTC)]
The only
downside is that we really need to require CAs to choose names that work
better with the -gate suffix. Something like EntrustGate I can deal with, but
there's no way I'm trying
On 09/02/2011 10:29 AM, Harald Hanche-Olsen wrote:
The -gate suffix is getting tiresome, actually. I tend to agree with this:
http://www.ajr.org/article.asp?id=5106
Ever since a certain third-rate burglary in Washington, D.C., many
years ago, journalists have insisted on sticking the
On 09/02/2011 12:55 PM, coderman wrote:
the next escalation will be sploiting private keys out of hardware
security modules presumed impervious to such attacks.
given the quality of HSM firmwares they're lucky cost is somewhat a
prohibiting factor for attackers.
authority in the wild, not
Marsh Ray writes:
Why would they need to?
What's the difference between a private key in the wild and a pwned
CA that, even months after a breakin and audit, doesn't revoke or
even know what it signed?
(This is a serious question)
The pwned CA leaves evidence that other people can
On Fri, Sep 2, 2011 at 11:50 AM, Marsh Ray ma...@extendedsubset.com wrote:
...
What's the difference between a private key in the wild and a pwned CA that,
even months after a breakin and audit, doesn't revoke or even know what it
signed?
i should have been more clear; by pwning the HSM i
On Sat, Sep 03, 2011 at 03:02:42AM +1200, Peter Gutmann wrote:
Another point is that minting 200-250 certs isn't something you can do with a
mouse click, you need to prepare all the cert requests with site-specific data
customised to each site, and that takes time. They must have had the run
