Sloppy certificate authorities put on notice

In the wake of GlobalSign, Comodo, and DigiNotar attacks, Microsoft, Mozilla, and Opera revoke untrustworthy certs

Page 2 of 2

Lack of revocation information means that the issued digital certificates cannot be verified back to the issuing authority (and/or its parents) to check whether it is valid and has not been revoked. Revocation information, often a HTTP link, allows users and applications to verify whether a certificate is still considered valid. Whether a consumer checks the revocation information is often optional, but as the industry puts greater reliance on public PKI, revocation information is becoming a more important requirement.

Microsoft's removal of Digicert from its Root Certificate program marks a rare event, especially given that the CA was not maliciously compromised. All public CAs are expected to follow best practices -- and usually do.

Clearly, this is Microsoft's warning to other CAs that poor certificate issuing practices will not be tolerated. There are many other CAs that do not include revocation information or don't appropriately restrain their issued certificates using extensions. Just check the ones located in your certificate store database on your computer. It's likely you'll see a few missing the same items. You can bet those CAs are paying closer attention now.

This story, "Sloppy certificate authorities put on notice," was originally published at Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at For the latest business technology news, follow on Twitter.

| 1 2 Page 2
From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies