>Domain validation is hard. It isn't as simple as one may think, and WoSign isn't the first to have a problem. They are still a trusted CA for now, and hopefully they will get their act together quickly.
The vulnerability exposed seems like a basic unit test to me (only assume ownership of validated domains or sub-domains - NOT all domains with a common root (or perhaps substring? the article is sparse on details)).
I had already lost faith in the 'everyone can be a root if they describe their process' model of trust before reading this post, but if software vendors that rely on trust anchors on their users behalf can't be bothered to do even basic due dilligence beyond vendor-sponsered audits, I'm left speachless.
Perhaps my experience with FIPS-140 has jaded me, but after seeing so much more money spent on paper-pushing than actual vulnerability assesment (and remediation), I can't help but feel lost after reading this.
>Domain validation is hard. It isn't as simple as one may think, and WoSign isn't the first to have a problem. They are still a trusted CA for now, and hopefully they will get their act together quickly.
The vulnerability exposed seems like a basic unit test to me (only assume ownership of validated domains or sub-domains - NOT all domains with a common root (or perhaps substring? the article is sparse on details)).
I had already lost faith in the 'everyone can be a root if they describe their process' model of trust before reading this post, but if software vendors that rely on trust anchors on their users behalf can't be bothered to do even basic due dilligence beyond vendor-sponsered audits, I'm left speachless.
Perhaps my experience with FIPS-140 has jaded me, but after seeing so much more money spent on paper-pushing than actual vulnerability assesment (and remediation), I can't help but feel lost after reading this.