[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Chinese root CA issues rogue/fake certificates

Subject: Chinese root CA issues rogue/fake certificates
From: george.herbert at gmail.com (George William Herbert)
Date: Wed, 7 Sep 2016 16:39:14 -0700
In-reply-to: <[email protected]>
References: <CAB69EHjh+xLBzP+XoEUpo3fRYC_33aQWCEuDZPJc8MtxdshjQg@mail.gmail.com> <CA+E3k91eiwyykLV05fVL89Fd=USe-pzuhFRx4SFaCnuYMYskKA@mail.gmail.com> <CA+E3k923N8JRguG0yfjFg6ZkfhrUxc+CcxwD0Rh9kULgrCvr-Q@mail.gmail.com> <[email protected]> <[email protected]>

> On Sep 1, 2016, at 3:19 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> 
> On Thu, Sep 01, 2016 at 11:36:57AM +1000,
> Matt Palmer <mpalmer at hezmatt.org> wrote 
> a message of 45 lines which said:
> 
>> I'd be surprised if most business continuity people could even name
>> their cert provider,
> 
> And they're right because it would be a useless information: without
> DANE, *any* CA can issue a certificate for *your* domain, whether you
> are a client or not.

It's relevant for a different reason; CA health needs to be monitored, and multiple CAs can (should) be used in case CA A's recognition gets pulled or a catastrophe happens.  Having certs from CA B then gets you going either immediately (if you actively use both) or rapidly (if you need to replace certs on web / services front end).  Getting new ones from CA B in a hurry can be a major deal.

Sent from my iPhone

References:
- Chinese root CA issues rogue/fake certificates
  - From: mpalmer at hezmatt.org (Matt Palmer)
- Chinese root CA issues rogue/fake certificates
  - From: bortzmeyer at nic.fr (Stephane Bortzmeyer)

Prev by Date: Optical transceiver question
Next by Date: Chinese root CA issues rogue/fake certificates
Previous by thread: Chinese root CA issues rogue/fake certificates
Next by thread: IPv4 Broker
Index(es):
- Date
- Thread