mailing list archives
Re: SSL Certificates
From: Jimmy Hess <mysidia () gmail com>
Date: Thu, 16 Feb 2012 00:57:25 -0600
On Wed, Feb 15, 2012 at 6:49 PM, George Herbert
<george.herbert () gmail com> wrote:
On Wed, Feb 15, 2012 at 4:17 PM, John Levine <johnl () iecc com> wrote:
The problem with anything related to Verisign at the moment is that
The possibility of their root certs being compromised is nonzero.
The possibility of _ANY_ CA's root certs having been compromised is non-zero.
There's no evidence published to indicate Verisign's CA key has been
and it's highly unlikely.
Just as there's no evidence of other CAs' root certificate keys being
There may be no problem; they also may be completely worthless. Until
there's full disclosure...
They are not completely worthless until revoked, or distrusted by web browsers.
There is a risk that any CA issued SSL certificate signed by _any_ CA
may be worthless some time in the future, if the CA chosen is later
found to have issued sufficient quantities fraudulent certificates,
and sufficiently failed in their duties.
I suppose if you buy a SSL certificate, you should be looking for
your CA to have insurance to reimburse the cost of the certificate
should that happen, and an ironclad "refund" clause in the
agreement/contract under which a SSL cert is issued
E.g. A guarantee such that the CA will refund the complete
certification fee, or pay for the replacement of the SSL certificate
with a new valid certificate issued by another fully trusted CA,
and compensate for any tangible loss, resulting from the CA's
signing certificate being marked as untrusted by major browsers,
revoked, or removed from major browsers' trust list, due to any
failure on the CA's part or compromise of their systems, resulting in
loss of trust.
Re: SSL Certificates bmanning (Feb 16)