In the wake of repeated hacker attacks on defense contractors in the United States comes news that the systems of Mitsubishi Heavy Industries, Japan’s biggest defense contractor, have been breached. Mitsubishi’s submarine, missile and nuclear power plant component factories were reportedly targeted by the attackers. Meanwhile, the security community is warning that digital certificates can’t be trusted following the revelation earlier this month that Dutch certificate authority DigiNotar had several certificates compromised.
Since I don't have much room I'll have to be brief:
From the article I wasn't clear on what you were proposing the weakness in PKI was. From what I've read here and elsewhere it seems that the problem is in key access control, the security of the signing facilities and time required to revoke compromised keys. For things like web certs vetting of the applicant is also critical. But nothing actually wrong with the PKI mechanism itself.
I use PKI to allow access to VPNs. But I usually keep the signing computer on a separate network or disconnected, using sneaker-net to get certs signed. The root signing key has to be guarded like Fort Knox!
Malware Munches on Mitsubishi, and Certificates Can Lie
Posted by: Richard Adhikari September 20, 2011 05:00 AMIn the wake of repeated hacker attacks on defense contractors in the United States comes news that the systems of Mitsubishi Heavy Industries, Japan’s biggest defense contractor, have been breached. Mitsubishi’s submarine, missile and nuclear power plant component factories were reportedly targeted by the attackers. Meanwhile, the security community is warning that digital certificates can’t be trusted following the revelation earlier this month that Dutch certificate authority DigiNotar had several certificates compromised.
From the article I wasn't clear on what you were proposing the weakness in PKI was. From what I've read here and elsewhere it seems that the problem is in key access control, the security of the signing facilities and time required to revoke compromised keys. For things like web certs vetting of the applicant is also critical. But nothing actually wrong with the PKI mechanism itself.
I use PKI to allow access to VPNs. But I usually keep the signing computer on a separate network or disconnected, using sneaker-net to get certs signed. The root signing key has to be guarded like Fort Knox!