How an RA compromise could have happened
After yesterday's post about the compromise of a Comodo registration authority, I was asked more than once how this could have happened. I'm actually surprised that it doesn't happen more often. Or it might just be the case that RAs are compromised fairly often, but we just don't know about most of the cases when this happens.
As I mentioned in a previous post, back in the dot-com era I did lots of work with PKI. Because of this I often was asked for help by people who were RAs for their company's CA. In most cases I couldn't do anything useful for them because I would have needed to log in as an RA do work on their problems. So to let me help them, the RAs would often offer to send me the credentials that I'd need to do this.
In every case, this wasn't just a username and password. Instead, it was the private key and certificate that the RA would use to authenticate to the CA. There was a certain amount of trust involved, of course, and I never took advantage of this happening and became a rogue RA, but because I've had the opportunity to do this on more than one occasion, it doesn't surprise me at all when it happens.
I'd actually guess that there are lots of potential rogue RAs out there that are possible for the same reason that I could have become one. But because most people are trustworthy most of the time, the opportunity to exploit this probably isn't acted on too often.