On Fri, Sep 2, 2011 at 11:50 AM, Marsh Ray wrote:
> ...
> What's the difference between a private key in the wild and a pwned CA that,
> even months after a breakin and audit, doesn't revoke or even know what it
> signed?
i should have been more clear; by pwning the HSM i meant to imply the
root
Marsh Ray writes:
> Why would they need to?
>
> What's the difference between a private key in the wild and a pwned
> CA that, even months after a breakin and audit, doesn't revoke or
> even know what it signed?
>
> (This is a serious question)
The pwned CA leaves evidence that other people can
On 09/02/2011 12:55 PM, coderman wrote:
the next escalation will be sploiting private keys out of hardware
security modules presumed impervious to such attacks.
given the quality of HSM firmwares they're lucky cost is somewhat a
prohibiting factor for attackers.
authority in the wild, not just
On Thu, Sep 1, 2011 at 9:19 PM, Peter Gutmann wrote:
> ...
> I wonder if we're going to see something like the four-minute-mile phenomenon,
> until Roger Bannister did it, it was thought to be impossible, but once he'd
> proven it was possible an avalanche of others followed his lead. So now that
[NB: CC'd to the randombit cryptography list, since this is an interesting
point for discussion].
Ian G writes:
>What we'll likely see now is a series of breaches at multiple levels to
>acquire and misuse certs. We've seen compromises in the past, but what makes
>this new is that we have e