In Windows Server 2012 Ad Cs, How Many Root Cas Can You Install in a Single Certificate Hierarchy?

Entity that issues digital certificates

In cryptography, a certificate authorization or certification authority (CA) is an entity that problems digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the document. This allows others (relying parties) to rely upon signatures or on assertions made about the private central that corresponds to the certified public key. A CA acts equally a trusted tertiary party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified past the X.509 or EMV standard.

One particularly common utilise for document government is to sign certificates used in HTTPS, the secure browsing protocol for the Www. Another common utilise is in issuing identity cards by national governments for use in electronically signing documents.^[1]

Overview [edit]

Trusted certificates can be used to create secure connections to a server via the Internet. A certificate is essential in club to circumvent a malicious party which happens to be on the route to a target server which acts as if it were the target. Such a scenario is commonly referred to as a man-in-the-middle attack. The customer uses the CA certificate to authenticate the CA signature on the server document, as function of the authorizations earlier launching a secure connectedness.^[two] Ordinarily, client software—for example, browsers—include a set up of trusted CA certificates. This makes sense, equally many users demand to trust their client software. A malicious or compromised client tin skip any security cheque and even so fool its users into believing otherwise.

The clients of a CA are server supervisors who call for a certificate that their servers will bestow to users. Commercial CAs accuse coin to issue certificates, and their customers anticipate the CA's certificate to be contained inside the majority of spider web browsers, and then that safe connections to the certified servers work efficiently out-of-the-box. The quantity of internet browsers, other devices and applications which trust a particular certificate authority is referred to every bit ubiquity. Mozilla, which is a not-profit business, issues several commercial CA certificates with its products.^[3] While Mozilla adult their ain policy, the CA/Browser Forum developed similar guidelines for CA trust. A single CA document may exist shared amongst multiple CAs or their resellers. A root CA certificate may be the base to issue multiple intermediate CA certificates with varying validation requirements.

In addition to commercial CAs, some non-profits issue publicly-trusted digital certificates without accuse, for example Allow's Encrypt. Some large cloud computing and web hosting companies are likewise publicly-trusted CAs and consequence certificates to services hosted on their infrastructure, for example Amazon Web Services, Cloudflare, and Google Cloud Platform.

Large organizations or regime bodies may have their own PKIs (public key infrastructure), each containing their own CAs. Any site using self-signed certificates acts every bit its own CA.

Commercial banks that issue EMV payment cards are governed by the EMV Certificate Authorisation,^[4] payment schemes that road payment transactions initiated at Indicate of Sale Terminals (POS) to a Card Issuing Depository financial institution to transfer the funds from the card holder's bank business relationship to the payment recipient's bank account. Each payment carte du jour presents along with its card information also the Card Issuer Certificate to the POS. The Issuer Certificate is signed by EMV CA Certificate. The POS retrieves the public central of EMV CA from its storage, validates the Issuer Certificate and actuality of the payment carte du jour earlier sending the payment request to the payment scheme.

Browsers and other clients of sorts characteristically allow users to add or practise away with CA certificates at volition. While server certificates regularly last for a relatively curt flow, CA certificates are further extended,^[5] and then, for repeatedly visited servers, information technology is less fault-prone importing and trusting the CA issued, rather than confirm a security exemption each time the server's document is renewed.

Less frequently, trustworthy certificates are used for encrypting or signing letters. CAs manipulate terminate-user certificates also, which tin can be used with S/MIME. However, encryption entails the receiver's public key and, since authors and receivers of encrypted messages, apparently, know 1 another, the usefulness of a trusted third party remains bars to the signature verification of messages sent to public mailing lists.

Providers [edit]

Worldwide, the document dominance business is fragmented, with national or regional providers dominating their home market. This is because many uses of digital certificates, such equally for legally binding digital signatures, are linked to local law, regulations, and accreditation schemes for document authorities.

However, the market place for globally trusted TLS/SSL server certificates is largely held by a small number of multinational companies. This market has meaning barriers to entry due to the technical requirements.^{[half dozen]} While not legally required, new providers may choose to undergo annual security audits (such as WebTrust^[7] for certificate authorities in North America and ETSI in Europe^[eight]) to exist included as a trusted root by a web browser or operating system.

Equally of 24 August 2020^[update], 147 root certificates, representing 52 organizations, are trusted in the Mozilla Firefox web browser,^[9] 168 root certificates, representing 60 organizations, are trusted past macOS,^[x] and 255 root certificates, representing 101 organizations, are trusted past Microsoft Windows.^[11] Every bit of Android 4.ii (Jelly Bean), Android currently contains over 100 CAs that are updated with each release.^[12]

On Nov 18, 2014, a group of companies and nonprofit organizations, including the Electronic Frontier Foundation, Mozilla, Cisco, and Akamai, announced Let's Encrypt, a nonprofit document authority that provides gratis domain validated X.509 certificates as well as software to enable installation and maintenance of certificates.^[13] Let'south Encrypt is operated by the newly formed Internet Security Research Group, a California nonprofit recognized equally federally tax-exempt.^[xiv]

According to Netcraft in May 2015, the industry standard for monitoring active TLS certificates, "Although the global [TLS] ecosystem is competitive, information technology is dominated past a handful of major CAs — 3 certificate authorities (Symantec, Comodo, GoDaddy) account for 3-quarters of all issued [TLS] certificates on public-facing web servers. The top spot has been held by Symantec (or VeriSign before it was purchased by Symantec) ever since [our] survey began, with information technology currently accounting for just nether a 3rd of all certificates. To illustrate the effect of differing methodologies, amongst the meg busiest sites Symantec issued 44% of the valid, trusted certificates in utilise — significantly more than its overall market share."^[fifteen]

As of November 2021^[update] the survey company W3Techs, which collects statistics on certificate authorisation usage among the Alexa pinnacle 10 million and the Tranco pinnacle 1 1000000 websites, lists the v largest authorities by absolute usage share equally below.

Rank	Issuer	Usage
one	IdenTrust	36.0%
2	DigiCert	16.nine%
3	Sectigo (Comodo Cybersecurity)	fifteen.three%
4	Let's Encrypt	eleven.1%
5	GoDaddy	five.6%

Validation standards [edit]

The commercial CAs that result the majority of certificates for HTTPS servers typically apply a technique called "domain validation" to authenticate the recipient of the certificate. The techniques used for domain validation vary between CAs, simply in full general domain validation techniques are meant to bear witness that the document applicant controls a given domain name, non whatever information about the applicant's identity.

Many Document Authorities besides offer Extended Validation (EV) certificates as a more rigorous alternative to domain validated certificates. Extended validation is intended to verify non only control of a domain name, simply additional identity information to exist included in the certificate. Some browsers display this boosted identity information in a green box in the URL bar. One limitation of EV as a solution to the weaknesses of domain validation is that attackers could still obtain a domain validated certificate for the victim domain, and deploy it during an attack; if that occurred, the difference appreciable to the victim user would be the absence of a green bar with the company proper noun. In that location is some question as to whether users would be likely to recognise this absence as indicative of an attack existence in progress: a test using Internet Explorer 7 in 2009 showed that the absence of IE7's EV warnings were not noticed by users, however Microsoft'due south current browser, Border, shows a significantly greater difference betwixt EV and domain validated certificates, with domain validated certificates having a hollow, grey lock.

Validation weaknesses [edit]

Domain validation suffers from certain structural security limitations. In particular, it is always vulnerable to attacks that allow an adversary to notice the domain validation probes that CAs send. These tin can include attacks against the DNS, TCP, or BGP protocols (which lack the cryptographic protections of TLS/SSL), or the compromise of routers. Such attacks are possible either on the network nigh a CA, or near the victim domain itself.

I of the almost common domain validation techniques involves sending an electronic mail containing an hallmark token or link to an email address that is probable to be administratively responsible for the domain. This could exist the technical contact e-mail accost listed in the domain'south WHOIS entry, or an administrative email like admin@, administrator@, webmaster@, hostmaster@ or postmaster@ the domain.^{[sixteen] [17]} Some Certificate Authorities may accept confirmation using root@,^{[ citation needed ]} info@, or support@ in the domain.^[18] The theory behind domain validation is that only the legitimate owner of a domain would be able to read emails sent to these administrative addresses.

Domain validation implementations have sometimes been a source of security vulnerabilities. In ane instance, security researchers showed that attackers could obtain certificates for webmail sites considering a CA was willing to use an email address similar ssladmin@domain.com for domain.com, but not all webmail systems had reserved the "ssladmin" username to prevent attackers from registering information technology.^[xix]

Prior to 2011, in that location was no standard list of email addresses that could exist used for domain validation, then it was not clear to email administrators which addresses needed to be reserved. The commencement version of the CA/Browser Forum Baseline Requirements, adopted November 2011, specified a list of such addresses. This allowed post hosts to reserve those addresses for administrative use, though such precautions are still non universal. In January 2015, a Finnish man registered the username "hostmaster" at the Finnish version of Microsoft Live and was able to obtain a domain-validated certificate for live.fi, despite not being the possessor of the domain proper name.^[20]

Issuing a certificate [edit]

A CA bug digital certificates that comprise a public key and the identity of the possessor. The matching private cardinal is not made bachelor publicly, merely kept undercover by the end user who generated the key pair. The certificate is also a confirmation or validation by the CA that the public primal contained in the document belongs to the person, arrangement, server or other entity noted in the certificate. A CA's obligation in such schemes is to verify an applicant'southward credentials, so that users and relying parties can trust the information in the issued document. CAs employ a variety of standards and tests to practice so. In essence, the document authorization is responsible for saying "yes, this person is who they say they are, and we, the CA, certify that".^[21]

If the user trusts the CA and can verify the CA'due south signature, then they can also assume that a certain public central does indeed belong to whoever is identified in the certificate.^[22]

Example [edit]

Public-fundamental cryptography tin be used to encrypt data communicated between 2 parties. This can typically happen when a user logs on to any site that implements the HTTP Secure protocol. In this case let us suppose that the user logs on to their bank's homepage www.banking company.example to do online cyberbanking. When the user opens www.bank.example homepage, they receive a public central along with all the data that their web-browser displays. The public primal could exist used to encrypt data from the client to the server but the safe procedure is to apply it in a protocol that determines a temporary shared symmetric encryption key; messages in such a key commutation protocol tin be enciphered with the bank's public key in such a way that simply the banking concern server has the private key to read them.^[23]

The rest of the communication then proceeds using the new (disposable) symmetric primal, so when the user enters some information to the bank's page and submits the page (sends the information back to the depository financial institution) then the data the user has entered to the folio will be encrypted by their spider web browser. Therefore, fifty-fifty if someone can access the (encrypted) information that was communicated from the user to www.banking concern.example, such eavesdropper cannot read or decipher it.

This mechanism is only safe if the user can be sure that it is the bank that they run into in their web browser. If the user types in world wide web.bank.example, but their communication is hijacked and a fake website (that pretends to be the depository financial institution website) sends the page data back to the user's browser, the fake web-page can send a fake public primal to the user (for which the fake site owns a matching private cardinal). The user volition fill the form with their personal data and will submit the page. The fake web-page will then get access to the user's data.

This is what the document potency machinery is intended to prevent. A document say-so (CA) is an organization that stores public keys and their owners, and every party in a communication trusts this organization (and knows its public cardinal). When the user'due south spider web browser receives the public key from www.depository financial institution.example it also receives a digital signature of the key (with some more information, in a then-called X.509 document). The browser already possesses the public key of the CA and consequently can verify the signature, trust the certificate and the public cardinal in it: since www.bank.instance uses a public fundamental that the certification authorisation certifies, a fake world wide web.banking company.example tin only utilize the same public key. Since the fake www.bank.instance does not know the respective private key, it cannot create the signature needed to verify its authenticity.^[24]

Security [edit]

It is hard to assure correctness of match betwixt information and entity when the data are presented to the CA (perchance over an electronic network), and when the credentials of the person/company/program asking for a certificate are likewise presented. This is why commercial CAs ofttimes use a combination of authentication techniques including leveraging government bureaus, the payment infrastructure, third parties' databases and services, and custom heuristics. In some enterprise systems, local forms of hallmark such every bit Kerberos can exist used to obtain a certificate which can in plow be used by external relying parties. Notaries are required in some cases to personally know the party whose signature is being notarized; this is a higher standard than is reached by many CAs. According to the American Bar Association outline on Online Transaction Management the primary points of US Federal and State statutes enacted regarding digital signatures has been to "prevent alien and overly burdensome local regulation and to establish that electronic writings satisfy the traditional requirements associated with newspaper documents." Further the US E-Sign statute and the suggested UETA code^[25] help ensure that:

1. a signature, contract or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because information technology is in electronic grade; and
2. a contract relating to such transaction may non be denied legal effect, validity or enforceability solely because an electronic signature or electronic tape was used in its formation.

Despite the security measures undertaken to correctly verify the identities of people and companies, there is a take a chance of a single CA issuing a bogus certificate to an imposter. It is besides possible to register individuals and companies with the same or very similar names, which may atomic number 82 to confusion. To minimize this hazard, the certificate transparency initiative proposes auditing all certificates in a public unforgeable log, which could help in the prevention of phishing.^{[26] [27]}

In large-scale deployments, Alice may non be familiar with Bob's document authority (peradventure they each have a different CA server), and then Bob'due south certificate may also include his CA's public primal signed past a different CA_ii, which is presumably recognizable by Alice. This process typically leads to a hierarchy or mesh of CAs and CA certificates.

Certificate revocation [edit]

Authorities in the WebPKI provide revocation services to allow invalidation of previously issued certificates. According to the Baseline Requirements past the CA/Browser forum, the CAs must maintain revocation condition until certificate expiration. The status must be delivered using Online Certificate Status Protocol. Almost revocation statuses on the Internet disappear soon after the expiration of the certificates.^[28]

[edit]

An authority revocation listing (ARL) is a form of certificate revocation list (CRL) containing certificates issued to certificate authorities, contrary to CRLs which contain revoked terminate-entity certificates.

Industry organizations [edit]

• Certificate Say-so Security Council (CASC) – In February 2013, the CASC was founded every bit an industry advocacy organization dedicated to addressing industry issues and educating the public on internet security. The founding members are the seven largest Certificate Regime.^{[29] [30]}
• Common Calculating Security Standards Forum (CCSF) – In 2009 the CCSF was founded to promote manufacture standards that protect end users. Comodo Grouping CEO Melih Abdulhayoğlu is considered the founder of the CCSF.^[31]
• CA/Browser Forum – In 2005, a new consortium of Document Authorities and web browser vendors was formed to promote industry standards and baseline requirements for internet security. Comodo Group CEO Melih Abdulhayoğlu organized the first meeting and is considered the founder of the CA/Browser Forum.^{[32] [33]}

Baseline requirements [edit]

The CA/Browser Forum publishes the Baseline Requirements,^[34] a list of policies and technical requirements for CAs to follow. These are a requirement for inclusion in the certificate stores of Firefox^[35] and Safari.^[36]

CA compromise [edit]

If the CA can be subverted, so the security of the entire arrangement is lost, potentially subverting all the entities that trust the compromised CA.

For example, suppose an attacker, Eve, manages to get a CA to issue to her a certificate that claims to represent Alice. That is, the certificate would publicly state that it represents Alice, and might include other information near Alice. Some of the information most Alice, such as her employer name, might exist true, increasing the document's credibility. Eve, yet, would have the all-important private key associated with the certificate. Eve could then employ the document to send digitally signed email to Bob, tricking Bob into believing that the email was from Alice. Bob might even answer with encrypted email, believing that it could just be read by Alice, when Eve is actually able to decrypt it using the private key.

A notable example of CA subversion similar this occurred in 2001, when the certificate authority VeriSign issued ii certificates to a person challenge to stand for Microsoft. The certificates have the proper noun "Microsoft Corporation", so they could be used to spoof someone into believing that updates to Microsoft software came from Microsoft when they actually did not. The fraud was detected in early 2001. Microsoft and VeriSign took steps to limit the impact of the problem.^{[37] [38]}

In 2008, Comodo reseller Certstar sold a certificate for mozilla.com to Eddy Nigg, who had no authority to stand for Mozilla.^[39]

In 2011 fraudulent certificates were obtained from Comodo and DigiNotar,^{[40] [41]} allegedly past Iranian hackers. There is evidence that the fraudulent DigiNotar certificates were used in a human being-in-the-heart attack in Islamic republic of iran.^[42]

In 2012, information technology became known that Trustwave issued a subordinate root document that was used for transparent traffic direction (man-in-the-middle) which effectively permitted an enterprise to sniff SSL internal network traffic using the subordinate document.^[43]

Key storage [edit]

An aggressor who steals a certificate authority's private keys is able to forge certificates equally if they were CA, without needed ongoing access to the CA'southward systems. Central theft is therefore one of the chief risks document authorities defend against. Publicly trusted CAs almost always shop their keys on a hardware security module (HSM), which allows them to sign certificates with a key, just more often than not prevent extraction of that primal with both physical and software controls. CAs typically take the further precaution of keeping the key for their long-term root certificates in an HSM that is kept offline, except when it is needed to sign shorter-lived intermediate certificates. The intermediate certificates, stored in an online HSM, can do the day-to-mean solar day work of signing end-entity certificates and keeping revocation information up to appointment.

CAs sometimes utilize a key ceremony when generating signing keys, in order to ensure that the keys are non tampered with or copied.

Implementation weakness of the trusted 3rd party scheme [edit]

The critical weakness in the way that the current Ten.509 scheme is implemented is that any CA trusted past a detail party tin then issue certificates for whatsoever domain they choose. Such certificates will be accepted as valid by the trusting party whether they are legitimate and authorized or not.^[44] This is a serious shortcoming given that the well-nigh commonly encountered technology employing X.509 and trusted third parties is the HTTPS protocol. Equally all major web browsers are distributed to their terminate-users pre-configured with a list of trusted CAs that numbers in the dozens this means that any one of these pre-approved trusted CAs can issue a valid certificate for whatever domain whatsoever.^[45] The manufacture response to this has been muted.^[46] Given that the contents of a browser's pre-configured trusted CA list is determined independently by the political party that is distributing or causing to be installed the browser application there is actually nothing that the CAs themselves can do.

This issue is the driving impetus behind the evolution of the DNS-based Authentication of Named Entities (DANE) protocol. If adopted in conjunction with Domain Name System Security Extensions (DNSSEC) DANE will profoundly reduce if not completely eliminate the role of trusted third parties in a domain'due south PKI.

Run into as well [edit]

• Validation Dominance
• Contact folio
• People for Internet Responsibleness
• Web of trust
• Chain of trust
• Digital signature
• DigiNotar certificate authorization breach
• Comodo certificate authority breach

References [edit]

1. ^ "What is a certificate authority (CA)?".
2. ^ Villanueva, John Carl. "How exercise Digital Certificates Work - An Overview". world wide web.jscape.com . Retrieved 2021-09-05 .
3. ^ "Mozilla Included CA Certificate List — Mozilla". Mozilla.org. Archived from the original on 2013-08-04. Retrieved 2014-06-11 .
4. ^ "EMV CA". EMV Document Authority Worldwide. 2 October 2010. Retrieved February 17, 2019.
5. ^ Zakir Durumeric; James Kasten; Michael Bailey; J. Alex Halderman (12 September 2013). "Assay of the HTTPS Document Ecosystem" (PDF). The Net Measurement Conference. SIGCOMM. Archived (PDF) from the original on 22 December 2013. Retrieved twenty December 2013.
6. ^ "What is SSL Certificate?". Archived from the original on 2015-11-03. Retrieved 2015-ten-16 .
7. ^ "webtrust". webtrust. Archived from the original on 2013-08-eighteen. Retrieved 2013-03-02 .
8. ^ Kirk Hall (April 2013). "Standards and Industry Regulations Applicable to Certification Authorities" (PDF). Trend Micro. Archived (PDF) from the original on 2016-03-04. Retrieved 2014-06-eleven .
9. ^ "CA:IncludedCAs - MozillaWiki". wiki.mozilla.org. Archived from the original on 2017-03-25. Retrieved 2017-03-18 .
10. ^ "Listing of available trusted root certificates in macOS High Sierra". Apple Support . Retrieved 2020-08-24 .
11. ^ "Microsoft Included CA Certificate List". ccadb-public.secure.force.com . Retrieved 2020-08-24 .
12. ^ "Security with HTTPS and SSL". programmer.android.com. Archived from the original on 2017-07-08. Retrieved 2017-06-09 .
13. ^ "Permit's Encrypt: Delivering SSL/TLS Everywhere" (Press release). Allow's Encrypt. Archived from the original on 2014-11-18. Retrieved 2014-11-twenty .
14. ^ "Nearly". Let'south Encrypt. Archived from the original on 2015-06-x. Retrieved 2015-06-07 .
15. ^ "Counting SSL certificates - Netcraft". news.netcraft.com. Archived from the original on 2015-05-16.
16. ^ "Archived copy" (PDF). Archived (PDF) from the original on 2015-03-23. Retrieved 2015-03-20 . {{cite web}}: CS1 maint: archived copy equally title (link)
17. ^ "CA/Forbidden or Problematic Practices - MozillaWiki". wiki.mozilla.org. Archived from the original on 2017-07-21. Retrieved 2017-07-06 .
18. ^ "SSL FAQ - Frequently Asked Questions - Rapid SSL". world wide web.rapidssl.com. Archived from the original on 2015-02-06.
19. ^ Zusman, Mike (2009). Criminal charges are non pursued: Hacking PKI (PDF). DEF CON 17. Las Vegas. Archived (PDF) from the original on 2013-04-15.
20. ^ "A Finnish man created this simple electronic mail business relationship - and received Microsoft's security certificate". tivi.fi. Archived from the original on 2015-08-08.
21. ^ "Responsibilities of Certificate Authority". Archived from the original on 2015-02-12. Retrieved 2015-02-12 .
22. ^ "Network World". 17 January 2000.
23. ^ Applied Cryptography and Network Security: Second International Conference, ACNS 2004, Yellow Mountain, China, June 8-11, 2004. Proceedings. Springer. June 2004. ISBN9783540222170.
24. ^ The Shortcut Guide to Managing Document Lifecycles. Realtimepublishers.com. 2006. ISBN9781931491594.
25. ^ "Electronic Signatures and Records" (PDF). Archived (PDF) from the original on 2016-03-04. Retrieved 2014-08-28 .
26. ^ "Document transparency". Archived from the original on 2013-11-01. Retrieved 2013-xi-03 .
27. ^ Laurie, Ben; Langley, Adam; Kasper, Emilia (June 2013). "Certificate transparency". Internet Engineering Task Forcefulness. Archived from the original on 2013-eleven-22. Retrieved 2013-11-03 .
28. ^ Korzhitskii, Nikita; Carlsson, Niklas (2021). Revocation Statuses on the Internet. In proceedings of 2022 Passive and Active Measurement Conference (PAM 2021). arXiv:2102.04288. {{cite book}}: CS1 maint: url-status (link)
29. ^ "Multivendor power council formed to address digital certificate bug". Network World. February fourteen, 2013. Archived from the original on July 28, 2013.
30. ^ "Major Certificate Authorities Unite In The Name Of SSL Security". Dark Reading. Feb 14, 2013. Archived from the original on Apr ten, 2013.
31. ^ "CA/Browser Forum Founder". Archived from the original on 2014-08-23. Retrieved 2014-08-23 .
32. ^ "CA/Browser Forum". Archived from the original on 2013-05-12. Retrieved 2013-04-23 .
33. ^ Wilson, Wilson. "CA/Browser Forum History" (PDF). DigiCert. Archived (PDF) from the original on 2013-05-12. Retrieved 2013-04-23 .
34. ^ "Baseline Requirements". CAB Forum. Archived from the original on 7 January 2014. Retrieved 14 April 2017.
35. ^ "Mozilla Root Store Policy". Mozilla. Archived from the original on xv April 2017. Retrieved xiv April 2017.
36. ^ "Apple Root Certificate Programme". Apple. Archived from the original on 20 March 2017. Retrieved 14 April 2017.
37. ^ "CA-2001-04". Cert.org. Archived from the original on 2013-11-02. Retrieved 2014-06-11 .
38. ^ Microsoft, Inc. (2007-02-21). "Microsoft Security Bulletin MS01-017: Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Run a risk". Archived from the original on 2011-10-26. Retrieved 2011-11-09 .
39. ^ Seltzer, Larry. "SSL Certificate Vendor Sells Mozilla.com CSSL Certificate to Some Guy". eWeek . Retrieved five December 2021.
40. ^ Brilliant, Peter (28 March 2011). "Independent Iranian hacker claims responsibility for Comodo hack". Ars Technica. Archived from the original on 29 August 2011. Retrieved 2011-09-01 .
41. ^ Bright, Peter (2011-08-30). "Another fraudulent document raises the aforementioned sometime questions virtually document authorities". Ars Technica. Archived from the original on 2011-09-12. Retrieved 2011-09-01 .
42. ^ Leyden, John (2011-09-06). "Inside 'Operation Black Tulip': DigiNotar hack analysed". The Register. Archived from the original on 2017-07-03.
43. ^ "Trustwave issued a man-in-the-center document". The H Security. 2012-02-07. Archived from the original on 2012-03-13. Retrieved 2012-03-14 .
44. ^ Osborne, Charlie. "Symantec sacks staff for issuing unauthorized Google certificates - ZDNet". zdnet.com. Archived from the original on 2016-x-02.
45. ^ "Unauthorized Google Digital Certificates Discovered". linkedin.com. 12 August 2014.
46. ^ "In the Wake of Unauthorized Certificate Issuance by the Indian CA NIC, can Government CAs Nonetheless be Considered "Trusted Tertiary Parties"?". casecurity.org. 24 July 2014. Archived from the original on iii October 2016.

External links [edit]

• How secure is HTTPS today? How often is information technology attacked?, Electronic Frontier Foundation (25 Oct 2011)

walczakknour1970.blogspot.com

Source: https://en.wikipedia.org/wiki/Certificate_authority

Share this post