[SSL Observatory] Widespread RNG vulnerabilities discovered using Observatory data

Tom Ritter tom at ritter.vg
Sun Feb 19 16:15:57 PST 2012


On 17 February 2012 11:51, Phillip Hallam-Baker <hallam at gmail.com> wrote:
> If the reporting mechanism is public we may well see a DDoS attack
> against it in parallel with an actual attack.

Well, there's a few months to solve that problem, but it will need to
be resolved.  According to the CA/B Forum Guidelines (effective July
1st), 13.1.2:

The CA SHALL provide Subscribers, Relying Parties, Application
Software Suppliers, and other third parties with
clear instructions for reporting suspected Private Key Compromise,
Certificate misuse, or other types of fraud,
compromise, misuse, inappropriate conduct, or any other matter related
to Certificates.  The CA SHALL publicly
disclose the instructions through a readily accessible online means.

-tom



More information about the Observatory mailing list