[Cryptography] Dells are shipping with a rogue root level CA cert

[Chris Tonkinson]

On 11/23/2015 03:57 PM, Perry E. Metzger wrote:
> It is unclear what the CA is for, but there's a good possibility it
> isn't good...

Does anyone have any data on the prevalence of the most popular CAs, or
tools to audit relative use of each CA for a given client?

I'd bet folding money that out of the hundreds of default CAs on most
operating systems, a dozen (or fewer) account for 80% of all endpoints
being connected to. In which case A) the others can be deleted and B) we
can safely assume those with money and motive have set about
compromising the remainder.

Wouldn't it be funny (for some reasonably twisted definition of the word
"funny") to learn that for example that the IdenTrust chain was
compromised by some state actor(s) - thus making Let's Encrypt a very
well intentioned charade of lulz.


Chris Tonkinson
https://chris.tonkinson.com/
610.425.7807

"Lead, follow, or get out of the way."
-Thomas Paine

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151124/4762fc81/attachment.sig>