It's also a LOT easier to recover from a key breach - you expire the old \*.com ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		bdonlan on Sept 4, 2011 \| parent \| context \| favorite \| on: DigiNotar Damage Disclosure (with full list of iss... It's also a LOT easier to recover from a key breach - you expire the old *.com certificate, and publish a new one under the root. No problem. The root key, of course, must be VERY carefully guarded - but since updates are infrequent, this can happen on an isolated system with no network connection (or even more paranoid systems, such as secret sharing schemes...)

tptacek on Sept 5, 2011 [–]

You can recover from a breach like Diginotar's instantly; just remove their cert from your browser. You have no control over .COM's recovery from a breach.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact