nanog mailing list archives
Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates
From: lgomes00 () gmail com
Date: Sun, 11 Sep 2011 15:42:48 -0300
2011/9/11, Joel jaeggli <joelja () bogus com>:
On 9/10/11 23:30 , Damian Menscher wrote:On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess <mysidia () gmail com> wrote:On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid <marcus () blazingdot com> wrote:On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: I like this response; instant CA death penalty seems to put the incentives about where they need to be.I wouldn't necessarily count them dead just yet; although their legit customers must be very unhappy waking up one day to find their legitimate working SSL certs suddenly unusable.... So DigiNotar lost their "browser trusted" root CA status. That doesn't necessarily mean they will be unable to get other root CAs to cross-sign CA certificates they will make in the future, for the right price. A cross-sign with CA:TRUE is just as good as being installed in users' browser.The problem here wasn't just that DigiNotar was compromised, but that they didn't have an audit trail and attempted a coverup which resulted in real harm to users. It will be difficult to re-gain the trust they lost. Because of that lost trust, any cross-signed cert would likely be revoked by the browsers. It would also make the browser vendors question whether the signing CA is worthy of their trust.To pop up the stack a bit it's the fact that an organization willing to behave in that fashion was in my list of CA certs in the first place. Yes they're blackballed now, better late than never I suppose. What does that say about the potential for other CAs to behave in such a fashion?Damian
-- Enviado do meu celular Luciano P.Gomes http://lgomes00.blogspot.com/
Current thread:
- Opta revokes Diginotar TTP license (Was: Microsoft deems all DigiNotar certificates untrustworthy, releases), (continued)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Michiel Klaver (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Christopher Morrow (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Jima (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Christopher Morrow (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Christopher Morrow (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Ted Cooper (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Christopher Morrow (Sep 14)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Joe Greco (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates lgomes00 (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Valdis . Kletnieks (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Mark Andrews (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Jimmy Hess (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Damian Menscher (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Christopher Morrow (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Valdis . Kletnieks (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Christopher Morrow (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Valdis . Kletnieks (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Christopher Morrow (Sep 12)