back to article Web credential authority rebuked for 'poor' security

Microsoft, Google, and Mozilla will banish yet another web authentication authority from their software after learning that it issued secure sockets layer certificates that could be used to attack people visiting Malaysian government websites. Digicert Malaysia, an intermediate certificate authority that was certified by parent …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    First glance this looks like just another breach, but I actually think this is a case where the Certificate Authority system is working exactly the way it should... DigiCert Sdn Bhd (Malaysia, not DigiCert Inc.) didn't follow established Industry guidelines & requirements so their certs are revoked - preventing what could have been a big issue.

    Sure the certificates shouldn't have been issued in the first place, but there is a system in place to help mitigate and prevent potential damage. For all the bad news about CAs that has been published in the last few months, I chalk this one up to being on the good side.

    1. Anonymous Coward
      Anonymous Coward

      On the other hand

      The fact that the first 'S' in SSL stands for 'secure' would seem to indicate that anyone issuing SSL certificates is doing so in a secure manner.

      What will happen if it turns out that Verisign (or GoDaddy) or any of the offical country CA's have issued certificates improperly? Do Google/Microsoft/Mozilla/Opera have the sand to blacklist all of Verisign's CA certificates, for example?

  2. Anonymous Coward
    Black Helicopters


    Has Opera banished the authority ?

  3. Richard 26

    512 bits is just shameful

    "Its use of 512-bit keys, for instance, stand in stark contrast to the minimum requirement that keys contain twice that length."

    And really, if you're still using 1024 bits, you really shouldn't be any more.

    "Why is Entrust, along with all of the other publicly trusted certification authorities, moving to 2048-bit RSA keys [by the end of 2010]?"

  4. HandleTaken

    Criminal proceedings - DigiCert Malaysia

    Where can details pertaining to the criminal proceedings against Digicert Malaysia be found? Clearly and obviously a deliberate act?

This topic is closed for new posts.

Other stories you might like