Headline sensationalist much? Two certs are mentioned, both belonging to RSA, one of which doesn't appear to have been covered by their most recent audit and is therefore a candidate for removal.
That's not quite what it says - the one that wasn't covered by the most recent audit isn't a candidate for removal until 1/1/2012 at the earliest. The other certificate is completely unknown.
That's a bit more information, but the headline here at HN is still overblown; we're down to one unidentified root certificate that was probably issued by RSA, but for which no records can be found. Most probably attributable to incompetence and poor recordkeeping rather than a malicious compromise of the whole PKI.
And wasn't there some discussion in the last week or two about how easily you could impersonate anybodies valid ssl cert if you could get hold of a real root cert? (something about browsers not notifying users that a previously seen cert is now authenticating via a different root?)
I am not a crypto expert so correct me if I'm wrong, but as I understand it, anyone with a root key necessarily can subvert the entire system in a straightforward way.
7 comments
[ 3.4 ms ] story [ 25.3 ms ] threadThis thread gives more context:
http://groups.google.com/group/mozilla.dev.security.policy/b...
Both "RSA Security 1024 V3" and "RSA Security 2048 V3" are shown as valid in Apple's System Roots.
Microsoft's list includes "RSA Security 2048 V3", but not "RSA Security 1024 V3".
I'm glad there's more transparency about what is added to the NSS certificate store nowadays.