Comment: Microsoft Windows CryptoAPI fails to properly validate certificates that use ECC
January 2020 by Ambuj Kumar, CEO of Fortanix
Yesterday it was announced that the Microsoft Windows CryptoAPI fails to properly validate certificates that use Elliptic Curve Cryptography (ECC), which may allow an attacker to spoof the validity of certificate chains.
Following the announcement of this vulnerability, Ambuj Kumar, CEO of Fortanix, has shared his insight:
“Elliptic curves have had a bad reputation. Microsoft’s disclosure today that "CryptoAPI fails to properly validate certificates that use Elliptic Curve Cryptography (ECC), which may allow an attacker to spoof the validity of certificate chains" and not providing a root cause leaves many questions unanswered. It’ll certainly not help with all the previous history of trustworthiness of ECC.”