On 8/31/20 9:34 AM, Charles Mills wrote:
Are CA's perfect? I don't*know* of a CA hack but I do know of (I
should probably say "alleged") CA sloppiness:
DigiNotar was compromised:
"...it had become clear that a security breach had resulted in the
fraudulent issuing of certificates..."
Link - DigiNotar
- https://en.wikipedia.org/wiki/DigiNotar
I believe there have been others in the past. But DigiNotar was one of
the most prominent breaches that I remember. I think part of their
problem was how they failed to handle the situation.
I think Comodo has had problems too. I don't know the circumstances
around them.
I don't know how much of a problem (if that's the correct term) it is on
the mainframe world, but Windows used to trust hundreds of CAs. that
means hundreds of entities that could sign certificates for any given
subject. A common scapegoat for a popular podcast is that the Hongkong
Post can sign certificates for ibm.com or listserv.ua.edu. Any of the
multiple hundred Root CAs can do it.
CAA records offer some protection for this, but that is no guarantee.
--
Grant. . . .
unix || die
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
