[Cryptography] TB2F CAs as (un)official browser policy

Rob Stradling rob.stradling at comodo.com
Mon Mar 23 07:23:30 EDT 2015

On 20/03/15 09:34, Ben Laurie wrote:
>>From what I can tell, there's quite a difference between the Comodo
> and DigiNotar incidents:
> 1. Comodo appears to have been hacked via a fake RA login, whereas
> DigiNotar actually was owned.

A real RA's login credentials were used.  The attacker obtained those 
login credentials by hacking into the RA's system.

> 2. Comodo issued eight fake certs, DigiNotar > 500.

Nit: We misissued nine certs.

> 3. Comodo knew what certs were issued, DigiNotar did not.


> 4. Comodo did not sit on the facts for 6 weeks.

Indeed.  We notified the major browser providers the same day, and we 
released the facts into the public domain as quickly as we could.  (One 
of the browser providers asked us to delay going public for a week so 
that they had sufficient time to produce and test the required patches).

> I'm not sure what relative size by certs issued (or by validations,
> which does seem a better metric) Comodo and DigiNotar were at the time
> (anyone got numbers?), but I do know that removing the DigiNotar root
> had considerable fallout, particularly if you were Dutch...

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the cryptography mailing list