[Cryptography] TB2F CAs as (un)official browser policy
Rob Stradling
rob.stradling at comodo.com
Mon Mar 23 07:23:30 EDT 2015
On 20/03/15 09:34, Ben Laurie wrote:
<snip>
>>From what I can tell, there's quite a difference between the Comodo
> and DigiNotar incidents:
>
> 1. Comodo appears to have been hacked via a fake RA login, whereas
> DigiNotar actually was owned.
A real RA's login credentials were used. The attacker obtained those
login credentials by hacking into the RA's system.
> 2. Comodo issued eight fake certs, DigiNotar > 500.
Nit: We misissued nine certs.
> 3. Comodo knew what certs were issued, DigiNotar did not.
Yep.
> 4. Comodo did not sit on the facts for 6 weeks.
Indeed. We notified the major browser providers the same day, and we
released the facts into the public domain as quickly as we could. (One
of the browser providers asked us to delay going public for a week so
that they had sufficient time to produce and test the required patches).
> I'm not sure what relative size by certs issued (or by validations,
> which does seem a better metric) Comodo and DigiNotar were at the time
> (anyone got numbers?), but I do know that removing the DigiNotar root
> had considerable fallout, particularly if you were Dutch...
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the cryptography
mailing list