Web credential authority rebuked for 'poor' security Microsoft, Google, and Mozilla will banish yet another web authentication authority from their software after learning that it issued secure sockets layer certificates that could be used to attack people visiting Malaysian government websites. Digicert Malaysia, an intermediate certificate authority that was certified by parent …
First glance this looks like just another breach, but I actually think this is a case where the Certificate Authority system is working exactly the way it should... DigiCert Sdn Bhd (Malaysia, not DigiCert Inc.) didn't follow established Industry guidelines & requirements so their certs are revoked - preventing what could have been a big issue.
Sure the certificates shouldn't have been issued in the first place, but there is a system in place to help mitigate and prevent potential damage. For all the bad news about CAs that has been published in the last few months, I chalk this one up to being on the good side.
The fact that the first 'S' in SSL stands for 'secure' would seem to indicate that anyone issuing SSL certificates is doing so in a secure manner.
What will happen if it turns out that Verisign (or GoDaddy) or any of the offical country CA's have issued certificates improperly? Do Google/Microsoft/Mozilla/Opera have the sand to blacklist all of Verisign's CA certificates, for example?
"Its use of 512-bit keys, for instance, stand in stark contrast to the minimum requirement that keys contain twice that length."
And really, if you're still using 1024 bits, you really shouldn't be any more.
"Why is Entrust, along with all of the other publicly trusted certification authorities, moving to 2048-bit RSA keys [by the end of 2010]?" http://www.entrust.net/knowledge-base/technote.cfm?tn=7710
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
