[SSL Observatory] SSL CA compromise in the wild

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue Mar 22 23:01:07 PDT 2011


Jacob Appelbaum <jacob at appelbaum.net> writes:

>I wanted to start a thread about this blog post I just finished writing:
>https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion

Interesting bit of detective work!  The discussion shows up (yet again) one of
the killer problems of CRL/OCSP-style blacklisting, since you can only
blacklist certs that you know the CA has issued, there could be arbitrary
numbers of further certs out there that can't be revoked because the CA
doesn't know that it issued them.

>"A Certification Authority appeared to be compromised in some capacity"

It would be good to include a forward reference to the discussion further on
to justify this, otherwise there's a potential tl;dr problem, it's hard to
tell from the initial text that this isn't just based on a rumour somewhere.

>It seems timely to discuss a new metric for trust that is not a simple
>boolean.

There have been endless [0] papers published on trust metrics.  In my book I
give all of them as one mass of references specifically in order to point out
just how much has been written, and how little it's helped.

Peter.

[0] Well, not endless, but the list of references, in the format [1][2]
    [3]...[n], wraps around several lines.




More information about the Observatory mailing list