"We applaud security research of this sort and are glad that white hats like the "MD5 Collision Inc." group make a point of investigating online security. This group went to great lengths to keep its findings private, and unfortunately that included ensuring that VeriSign did not receive any of this information ahead of the actual presentation, rendering it impossible for us to begin work on mitigating this issue prior to this morning. So I'll caution you that these responses are preliminary, and if it turns out that any of the information we've received is inaccurate, my responses may change."
I really like this, especially the last sentence. That's refreshingly direct communication.
A: Zero. No end entity certificates are affected by this attack. The attack, when it worked, was a potential method for a criminal to create a new, false certificate from scratch. Existing certificates are not targets for this attack."
This answer seems a little bit, well, disingenuous. Does he not understand the attack or does he not understand SSL?
In the paper itself, they reach the opposite conclusion:
"Question. Suppose that a criminal creates by our method his own rogue Certification Authority that is trusted by all browsers.
Are then only websites with certificates from the CA whose signature he used vulnerable to impersonation attacks?
Are only websites with certificates based on MD5 vulnerable to impersonation attacks?
Answer. No. When a criminal uses redirection attacks in combination with a rogue but trusted CA certificate, all websites are equally vulnerable."
Yes, they're taking a page out of Microsoft's playbook by using a blog post to respond in more detail to a security vulnerability. When executed well, it mollifies critics much better than the press release style of communication due to its appearance of informality.
That being said, I would have liked for them to say that they've reviewed their logs and saw no other issuance activity that followed the same pattern as the researchers, and that they will improve their operational monitoring and serial number sequencing to help protect against future potential attacks.
I really like this, especially the last sentence. That's refreshingly direct communication.