The way I read his tale, it sounds like VeriSign may have kept the signing keys ... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

dopo on Sept 3, 2011 | parent | context | favorite | on: DigiNotar root CA trust removal follow-up

The way I read his tale, it sounds like VeriSign may have kept the signing keys for his intermediate CA, and their onsite secure terminal just submitted CSRs back to VeriSign and got the signed certificates back. VeriSign was then in a position to enforce the policy that no certs get signed for anything outside of the domains that should be signed.

tptacek on Sept 3, 2011 [–]

I thought so too, but then I read "can't be a root CA because of stringent policies, isolated networks, key generation" and felt he was writing about the weird machine they put on their prem.

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact