[security] SL comprimise
SitG Admin
sysadmin at shadowsinthegarden.com
Fri Mar 25 19:49:38 UTC 2011
>I will also point out that this is not the only incident of issuing
>certificates to the wrong people that Comodo has been involved in.
If not them, it would be some other low-hanging fruit. The weakest CA
in the pool.
>So the one thing we can do from a openID point of view is atleast
>take revocation seriously because I am willing to bet this will not
>be the last time something like this happens.
Cert caching? (Check the CA chain?) Most effectively for major RP's
accepting logins from major OP's, react to a single cert from a CA
never previously associated with that domain, when processing
thousands of concurrent logins from the familiar cert?
The low-hanging fruit is most likely to make this kind of mistake,
but it'd be nice if we weren't relying on them to catch it.
(Ultimately, yes, but it might be preferable in some use-cases to
break in favor of security over convenience.)
-Shade
More information about the security
mailing list