In my last post, I talked about how security breaches of certificate authorities (CA)—such as the well-known attacks on Comodo and DigiNotar – raised a lot of questions about the reliability and security of the digital certificate system.
 
The compromise brought up the concern that these types of attacks, i.e. falsely issued certificates, were beginning to occur more frequently. And they have not been limited to “foreign” or minor CAs, even VeriSign has been socially engineered to issue false Microsoft certificates to hackers.
 
What has finally come to the forefront is that there is no system behind the CAs to ensure that two CAs do not issue certificates for the same entity. Usually, when a second (or more) certificate is issued for an identity, it is usually issued fraudulently to hackers impersonating the original entity.
 
The CAs have little to no cross communication and no universal identification system to check whether or not another CA has already issued a certificate for a given identity. I am not meaning to imply that a CA issues certificates to the wrong people on purpose, but that there is no means by which they can check whether or not the currently requested certificate is being issued to the proper entity. A CA can check to see if the identity is already validated by a certificate from another CA in the same way that you can.
 
Simply open a browser and visit the URL of the organization. If not automatic, force an initialization of an SSL/TLS connection. Then, click on the SSL/TLS locked icon (typically a padlock) and view the details of the certificate. However, while this can indicate which CA has already issued a certificate to the entity and when it will expire, it does not indicate whether this is a validly issued certificate. It also does not indicate whether the entity is seeking to change CAs on purpose, even though their current certificate may still be valid for any period of time.
 
Stay tuned for my Part 3 post to come tomorrow, in which I’ll describe how a CA goes about investigating an identity before issuing a certificate.