Fraudulent *.google.com certificate issued

Posted Sep 1, 2011 7:56 UTC (Thu) by Comet (subscriber, #11646)
In reply to: Fraudulent *.google.com certificate issued by martinfick
Parent article: Fraudulent *.google.com certificate issued

This is what companies like Dunn & Bradstreet do, and the other old major merchant houses.

Things like Linkage Analysis, where they figure out which companies own which other companies, and trace down who actually owns a company.

It's human legwork to maintain their databases. Thus they get to charge money for queries against them.

So, I certainly hope that the major CAs are doing at least a paid check with one of the merchant houses before issueing EV certs, and anyone bundling together a group of CAs for others to trust should either be saying "don't trust us, this is just what we find convenient" (amateur, but sometimes appropriate) or should be doing the same due diligence.

Fraudulent *.google.com certificate issued

Posted Sep 1, 2011 18:20 UTC (Thu) by raven667 (subscriber, #5198) [Link]

I'm pretty sure they do, I know the CA I used to be involved with did D&B checks and gathered other docs before issuing new EV certs. The data gathering process usually took a couple of weeks and had to be validated by certified individuals and the actual issuance had to be performed by two managers.

In this case though attackers are believed to have compromised the infrastructure and had enough access that they could issue whatever they liked without going through the audit and security controls. The technical measures which could prevent this are difficult, cumbersome, expensive and not foolproof. At some point you have to be able to accept a CSR from a customer and expose it to the HSA and receive a result. If you can get anywhere in that path you can send your own CSRs and have whatever you want signed.