SSL Certificates

Jimmy Hess mysidia at
Thu Feb 16 06:57:25 UTC 2012

On Wed, Feb 15, 2012 at 6:49 PM, George Herbert
<george.herbert at> wrote:
> On Wed, Feb 15, 2012 at 4:17 PM, John Levine <johnl at> wrote:
> The problem with anything related to Verisign at the moment is that

> The possibility of their root certs being compromised is nonzero.

The possibility of _ANY_  CA's root certs having been compromised is non-zero.
There's no evidence published to indicate Verisign's CA key has been
and it's highly unlikely.

Just as there's no evidence of other CAs'  root certificate keys being

> There may be no problem; they also may be completely worthless.  Until
> there's full disclosure...

They are not completely worthless until revoked,  or distrusted by web browsers.

There is a risk that any CA issued SSL certificate signed by _any_ CA
may be worthless some time in the future, if the CA chosen is later
found to have issued  sufficient quantities fraudulent certificates,
and sufficiently failed in their duties.

I suppose if you buy a SSL certificate,  you should be looking for
your CA to have insurance to reimburse the cost of the certificate
should that happen,   and an ironclad   "refund"  clause in the
agreement/contract  under which a SSL cert is issued

E.g.  A guarantee such   that the  CA will refund the complete
certification fee,   or pay for the replacement of the SSL certificate
with a  new  valid certificate   issued by another fully trusted CA,
and  compensate for any tangible loss,    resulting from the   CA's
signing certificate  being marked as untrusted by major browsers,
revoked,  or  removed from major browsers' trust list,   due to any
failure on the CA's part or compromise of their systems, resulting in
loss of trust.


More information about the NANOG mailing list