back to article Web credential authority rebuked for 'poor' security

Microsoft, Google, and Mozilla will banish yet another web authentication authority from their software after learning that it issued secure sockets layer certificates that could be used to attack people visiting Malaysian government websites. Digicert Malaysia, an intermediate certificate authority that was certified by parent …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

First glance this looks like just another breach, but I actually think this is a case where the Certificate Authority system is working exactly the way it should... DigiCert Sdn Bhd (Malaysia, not DigiCert Inc.) didn't follow established Industry guidelines & requirements so their certs are revoked - preventing what could have been a big issue.

Sure the certificates shouldn't have been issued in the first place, but there is a system in place to help mitigate and prevent potential damage. For all the bad news about CAs that has been published in the last few months, I chalk this one up to being on the good side.

1
0
Silver badge

On the other hand

The fact that the first 'S' in SSL stands for 'secure' would seem to indicate that anyone issuing SSL certificates is doing so in a secure manner.

What will happen if it turns out that Verisign (or GoDaddy) or any of the offical country CA's have issued certificates improperly? Do Google/Microsoft/Mozilla/Opera have the sand to blacklist all of Verisign's CA certificates, for example?

1
0
Black Helicopters

Opera?

Has Opera banished the authority ?

0
1
FAIL

512 bits is just shameful

"Its use of 512-bit keys, for instance, stand in stark contrast to the minimum requirement that keys contain twice that length."

And really, if you're still using 1024 bits, you really shouldn't be any more.

"Why is Entrust, along with all of the other publicly trusted certification authorities, moving to 2048-bit RSA keys [by the end of 2010]?" http://www.entrust.net/knowledge-base/technote.cfm?tn=7710

0
0

Criminal proceedings - DigiCert Malaysia

Where can details pertaining to the criminal proceedings against Digicert Malaysia be found? Clearly and obviously a deliberate act?

0
0
This topic is closed for new posts.

Forums