nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

From: Michael DeMan <nanog () deman com>
Date: Fri, 9 Sep 2011 20:06:42 -0700
Sorry for being ignorant here - I have not even been aware that it is possible to buy a '*.*.com' domain at all.

I though wildcards were limited to having a domain off a TLD - like '*.mydomain.tld'.

Is it true that the my browser on a windows, mac, or linux desktop may have listed as trusted authorities, an outfit 
that sells '*.*.tld' ?

Thanks,

- Mike

On Sep 9, 2011, at 2:54 PM, Paul wrote:


On 09/09/2011 11:48 AM, Marcus Reid wrote:

On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote:

FYI!!!

http://seattletimes.nwsource.com/html/microsoftpri0/2016132391_microsoft_dee
ms_all_diginotar_certificates_untrust.html

Google and Mozilla have also updated their browsers to block all DigiNotar
certificates, while Apple has been silent on the issue, a emblematic zombie
response!

Apple has sent out a notification saying that they are removing
DigiNotar from their list of trusted root certs.

I like this response; instant CA death penalty seems to put the
incentives about where they need to be.

Marcus


Instant?  This has been going on for over a week, and a lot of damage could have been done in that time, especially 
given certs for *.*.com were signed against Diginotar.  Most cell phones are unable to update their certificates 
without an upgrade and you know how long it takes to get them through Cell Phone carriers.  A number of alternative 
android builds are adding the ability to control accepted root certs to their builds in the interest of speeding this 
up.  The CA system is fundamentally flawed.

Paul
Previous By Date Next
Previous By Thread Next

Current thread: