Hacker News new | comments | ask | show | jobs | submit login

What's particularly terrible about problems like this is an organization with absolutely no relationship with Comodo is vulnerable. The CA system is so horribly broken.

Here is a graph of CA authorities. Who do you trust? https://notary.icsi.berkeley.edu/trust-tree/

See also Comodo vs Letsencrypt. https://letsencrypt.org/2016/06/23/defending-our-brand.html

Funny to see the giant swirl that is DFN with all its individual children.

(DFN is the "Deutsche Forschungsnetz" ("German research network"), and it gives out sub-CAs to the individual member institutions. Which apparently is an uncommon practice)

I talked to the CA guys at my university once and they don't have access to the keys. They do identity verification and send the documents onwards to some other CA folks at DFN for the actual signing. Makes the whole thing rather pointless imho.

Of course, this remind me of the ANSSI fiasco in late 2013 where one of the intermediates was used for MITM. From https://bugzilla.mozilla.org/show_bug.cgi?id=693450#c29 : "I received email from the CA representative that said that the decision to include this root IGC/A 4096 SHA2 is discontinued (reason is the complexity of the operation and the associated costs)."

The certificates are signed with a SOAP-API. The the individual institutions do not have the keys for the sub-CAs.

The DFN will change this praxis while migrating to a new root certificate from "Deutsche Telekom" until 2019, but the staff at my university has major headaches. It's far more easier to document, that the members of the university should only trust (e.g. enter their password on) sites with a certificate signed by a CA with the same name as the university.

Seems like (almost) every single German university is part of the DFN and has their own CA. I worked for a hospital for a while that was also part of it. You'd think it would be a nice idea to get rid of bureaucracy and make it easier to obtain certificates but no, our boss had to appear in person at one of the offices. (Yes the hospital has several physical offices for its own CA).

The graph doesn't seem to include Let's Encrypt.

It seems to be based on data from 2012, or at least older than 2015. (Blog post presenting it is from 2012, there are certs listed that expired 2014)

What do the dot sizes and red color indicate?

red = roots not signed by other CA certificates

size = number of certificates signed by it (not sure from what dataset)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact