[SSL Observatory] SSL CA compromise in the wild
Seth David Schoen
schoen at eff.org
Wed Mar 23 19:41:08 PDT 2011
Peter Gutmann writes:
> Jacob Appelbaum <jacob at appelbaum.net> writes:
>
> >Right, we're hoping that the CA key isn't compromised. I mean, more
> >compromised. :-)
>
> You don't need a CA key compromised, you just issue yourself a CA cert and use
> that to both issue fraudulent certs and verify, via OCSP, that they're not
> revoked.
The OCSP design presumably should require checking all the way up the cert
chain, but I guess people felt that that would add too much latency.
--
Seth Schoen
Senior Staff Technologist schoen at eff.org
Electronic Frontier Foundation https://www.eff.org/
454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107
More information about the Observatory
mailing list