Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

[Christopher Morrow <morrowc.lists () gmail com>]

On Mon, Sep 12, 2011 at 4:39 AM,  <Valdis.Kletnieks () vt edu> wrote:
> On Sun, 11 Sep 2011 22:01:47 EDT, Christopher Morrow said:
> > If I have a thawte cert for valdis.com on host A and one from comodo
> > on host B... which is the right one?
>
> You wouldn't have 2 certs for that... I'd have *one* cert for that. And if when
> you got to the IP address you were trying to reach, the cert didn't validate as
> matching the hostname, you know something fishy is up.
>
> And if you *do* have two certs for it, I'd like to talk to the bozos at
> Thawte and Comodo who obviously didn't check the paperwork. ;)

this has already happened with mozilla.com, google.com, microsoft.com
.... my point was that as a user, and as a service operator, what in
today's CA world helps me know that the service operator's certificate
is what my user-client sees? some 'trust' in the fact that
thawte/comodo/verisign/cnnic didn't issue a cert for the
service-operator's service incorrectly?

I think I need a method that the service operator can use to signal to
my user-client outside the certificate itself that the certificate
#1234 is the 'right' one.