Since I work a lot with PKI design, I can’t help wondering how someone like Comodo/Usertrust can still be considered trustworthy. In my opinion the update should be to remove them from the list of trusted issuers! I think that the fact that VeriSign got away with it in 2001, has set a standard that we can continue to trust issuers even if they have proven not being trustworthy.
I think that this is a very dangerous path, since this will lower the trust in certificates as a secure identity.
After the attack on Comodo late last week please make sure to install the update Microsoft Security Advisory: Fraudulent Digital Certificates could allow spoofing.
I don”t understand your stance.
I wish I could understand what is your opinion on the subject.
On one hand you say that Comodo CA should be removed from the list of trusted users, then you claim that VeriSign “got away with it” (what does it mean ? I really have no idea) and then declare that “we can continue to trust issuers even if they have proven not being trustworthy”; or that this a de facto standard. I don”t understand.
Even your title, “Why should we trust them!” is not clear. Maybe “why should we trust them?” or “Whe we should trust them!” would have been less ambiguous.
I”m currently looking for data about Comodo Certification Authority and I”m puzzled to see there no very specific or deep information about this topic. How come? Do you have any useful pointers?