nanog mailing list archives

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

From: "Michael Painter" <tvhawaii () shaka com>
Date: Sat, 10 Sep 2011 21:33:17 -1000

Damian Menscher wrote:

The problem here wasn't just that DigiNotar was compromised, but that they
didn't have an audit trail and attempted a coverup which resulted in real
harm to users.  It will be difficult to re-gain the trust they lost.

Because of that lost trust, any cross-signed cert would likely be revoked by
the browsers.  It would also make the browser vendors question whether the
signing CA is worthy of their trust.

Damian


I'd be interested in hearing what you have to say about the hacker's claim at:
http://pastebin.com/85WV10EL

"d) I'm able to issue windows update, Microsoft's statement about Windows Update and that I can't issue such update istotally false! I already reversed ENTIRE windows update protocol, how it reads XMLs via SSL which includes URL, KB no,SHA-1 hash of file for each update, how it verifies that downloaded file is signed using WinVerifyTrust API, and... SimplyI can issue updates via windows update!"


Thanks,

--Michael

Current thread:

Microsoft deems all DigiNotar certificates untrustworthy, releases updates Network IP Dog (Sep 07)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Alexander Harrowell (Sep 07)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Marcus Reid (Sep 09)
  - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Paul (Sep 09)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Michael DeMan (Sep 09)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Dan White (Sep 09)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Heinrich Strauss (Sep 10)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Jimmy Hess (Sep 10)
  - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Jimmy Hess (Sep 09)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Damian Menscher (Sep 10)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Michael Painter (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Cameron Byrne (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Bjørn Mork (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Joel jaeggli (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates sthaug (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Martin Millnert (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Damian Menscher (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Joe Greco (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Marcus Reid (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Valdis . Kletnieks (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases fredrik danerklint (Sep 12)

(Thread continues...)