This is actually solid grounds for removal in all trust stores, honestly. They d... | Hacker News

HN2new | past | comments | ask | show | jobs | submit

		iancarroll on March 23, 2015 \| parent \| context \| favorite \| on: Maintaining Digital Certificate Security This is actually solid grounds for removal in all trust stores, honestly. They did numerous things wrong (from what I am reading here): - The CA must have had some warning that it wasn't being loaded onto a HSM - It was never verified the CSR/key was generated on a HSM (!!!) - The auditors did not oversee the key being generated (this is typical for roots, although not for intermediaries) - If this subordinate was in operation for >1yr, how was this not caught in an audit? and you can't load a certificate off of a HSM, so I'd argue the CA is entirely at fault here.

yuhong on March 24, 2015 [–]

The fourth point is not true, I looked at the intermediate myself. In fact the test intermediate is only days old at the time of the writing and last less than a month before it expires.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact