Re: Detecting Certificate Authority compromises and web browser collusion

[Jack Suess <jack () UMBC EDU>]

Valdis,

As a preface let me say I'm on InCommon Steering.  I  have also been involved with the security groups at EDUCAUSE, 
Internet2, and the REN since we formed them in 2000. 

If you have been involved in getting on-boarded into the InCommon Comodo service you know InCommon has an extensive 
registration process to make certain it is being done properly. I read the blogs and there was criticism that Comodo 
should of done better. After the fact, whenever anyone has had a security incidence you realize you should of done 
things better. I'm not trying to defend Comodo but I also recognize the difficulty all places are facing in security 
(RSA is a good example you noted).

The distinction between InCommon and vendors is we are much more transparent in what we do. We have a group of 
campus-based PKI experts that we formed as a subcommittee that reviews and defines everything InCommon does. This group 
is campus-based in that they all work at universities. Their recommendations role up to our Technical Advisory 
Committee, again all experts from higher education. When we have issues we communicate them out because we also use the 
products and our members are  colleagues of yours and want to do what is best.

Many of us have connections to the REN-ISAC and in fact we had good communication going on between Doug Pearson and the 
people at Internet2 on this issue. What we can say is if an issue comes up impacting higher ed we'll be right there 
working with the REN, EDUCAUSE, and Internet2 to get mitigations in places and communicate this to our community. 

I don't know if that makes you feel more at ease but I take comfort knowing that there are people in higher ed with 
expertise I respect involved with this and making sure it is done right.


jack suess  


On Mar 24, 2011, at 9:42 PM, Valdis Kletnieks wrote:

> On Thu, 24 Mar 2011 20:58:59 EDT, Dean Woodbeck said:
> > On Mar 24, 2011, at 2:31 PM, Jesse Thompson wrote:
> > > This is a very interesting article on the failure of the certificate
> > > authority model of trust.  Additionally, it's worth noting that the
> > > specific breach involved Comodo, which is the CA for the new Internet2
> > > InCommon Federation CA.
> >
> > But this in no way affects nor involves the InCommon Certificate
> > Service.
>
> All the same, if a vendor tells me "Oh, it's our *other* service that got
> pwned, not the one you're using", my gut reaction is "Good. That means I'm not
> automatically dead in the water.  So let's take it from the top and you explain
> to me what steps have been taken to make sure it isn't the service I *do* use
> next time it happens..."
>
> > - It's also worth noting that InCommon uses two-factor authentication for all of its master login accounts
>
> <snark>
> RSA SecureID, perchance? :)
> </snark>

Jack Suess            UMBC VP of IT & CIO
jack () umbc edu    1000 Hilltop Circle
410.455.2582     Baltimore Md, 21250
Homepage:      http://bit.ly/fSB5ID
Blog:                 http://bit.ly/felhWd

Attachment: smime.p7s
Description: