nanog mailing list archives
Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates
From: Jimmy Hess <mysidia () gmail com>
Date: Sun, 11 Sep 2011 18:02:03 -0500
On Sun, Sep 11, 2011 at 1:30 AM, Damian Menscher <damian () google com> wrote:
On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess <mysidia () gmail com> wrote: Because of that lost trust, any cross-signed cert would likely be revoked by the browsers. It would also make the browser vendors question whether the
I am not engaging in speculation that DigiNotar plans to continue to operate, they have already stated so much. http://www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx "VASCO does not expect that the DigiNotar security incident will have a significant impact on the company’s future revenue or business plans." So long as DigiNotar can show what they are required to show when they would request re-signing, and another CA can legitimately cross-sign their cert, following that CA's official correct certification practices; it's unlikely to lead to the signer being revoked. As far as we know, DigiNotar is not dead, it is just a really great example showing how broken TLS security model is. The trust model hard-coded into the protocol is much weaker than the cryptography. Since the browsers already approved that root CA's certification practices. Particularly not if the cross-signer is one of the larger CAs such as Thawte or Verisign --- the browser might as well remove SSL support altogether, if they will perform a revokation that renders 40% of internet web server SSL certs invalid. -- -JH
Current thread:
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases, (continued)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Christopher Morrow (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Jima (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Christopher Morrow (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Christopher Morrow (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Ted Cooper (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Christopher Morrow (Sep 14)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Joe Greco (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates lgomes00 (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Valdis . Kletnieks (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Mark Andrews (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Jimmy Hess (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Damian Menscher (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Christopher Morrow (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Valdis . Kletnieks (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Christopher Morrow (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Valdis . Kletnieks (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Christopher Morrow (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Robert Bonomi (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Christopher Morrow (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Mike Jones (Sep 12)