0
have any CA private keys such as those used by godaddy to issue private/public key pairs compromised as a result of heartbleed?
rory
Posted 2014-04-10T21:58:56.127
Reputation: 19
heartbleed are CA private keys compromised?
Answers
1
The baseline requirements for CAs state:
Key Compromise: A Private Key is said to be compromised if ... there exists a practical technique by which an unauthorized person may discover its value. ...
It also states in section 3.1.5:
The CA SHALL revoke a Certificate within 24 hours if one or more of the following occurs:
...
13.The CA is made aware of a possible compromise of the Private Key of the Subordinate CA used for issuing the Certificate;
Any Certificate Authority who stored their private keys that they use for signing on a front-end TLS enabled webserver (that use a vulnerable version of OpenSSL) would be required to revoke any certificates signed by that key or face possible failed audit and subsequent exclusion from trust in browser, etc.
However, there is no reason to believe that the CAs have the keys they use to sign certificates are stored on public facing webservers. In fact, the keys for the root certificates are often stored entirely offline.
As far as front-end webservers' private keys (the keys associated with certificates that are used to authenticate to clients) goes, they may be compromised.
Anders J
Posted 2014-04-10T21:58:56.127
Reputation: 126
0
Its very hard to say for sure, but its extremely unlikely for any reputable CA. No CA worth their salt puts their CA certs anywhere near a public facing webserver.
Sirex
Posted 2014-04-10T21:58:56.127
Reputation: 10 321
1@Ramhound, CA keys are not the same as the certificates used by servers, which are signed by the CA. CA private keys should not be known by the webserver, so its most likely they have not been compromised. – heavyd – 2014-04-10T22:17:01.463
I miss read the question I though the author was asking about the certificate issued by a CA – Ramhound – 2014-04-10T23:25:08.080