[Chapter-delegates] Isoc intitiative in trust and security and Compromized wildcard ssl certificates

[Eduard Tric]

Issuing wildcard ssl
certificates (like *.company.eu ) has become a common commercial
practice among certification authorities.

They are convenient to install in production environments , but this come with a risk. 
 If they are compromised at final customer site , it's their own responsibility .
 If they are compromised (faked) at CA (certification authority ) level , it's another story, the whole Internet trust system falls a part (especially the ebusiness and egovernment applications rely heavily on ssl ).
This thing happened recently  in a EU country, The Netherlands.
 The CA seem to be revoked by dutch government (Isoc.nl could kindly give us some fresh news about this issue) and at least by Mozilla foundation, but what strikes me is the extent of the fake certificates (whole *google.com , *com  and many others).

Isoc should work with the Eu to propose and maintain a trusted list of CA's , then extend it globally. It's a registry , just like .org, and it's doable. 

At Isoc Romania ,we are trying to do this for some years, pushing the government to act. 
  The romanian and french  government are now   favorable and could push this initiative, the dutch should probably be urged to join. 
Isoc or Eurid could maintain this trusted list.
 There are also two major  eu  projects ( PEPPOL - eprocurment and STORK) having emphasized the necessity of a such trusted list.


We would like to hear opinions from other chapters (are they aware of other compromised CA? )


 References   :
 http://en.wikipedia.org/wiki/Certificate_authority


 http://www.net-security.org/secworld.php?id=11565


http://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/




Best Regards
Eduard Tric
Isoc Romania
http://isoc.ro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://elists.isoc.org/mailman/private/chapter-delegates/attachments/20110906/8b5317e5/attachment.htm>