Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

[Christopher Morrow <morrowc.lists () gmail com>]

On Mon, Sep 12, 2011 at 1:39 PM, Robert Bonomi <bonomi () mail r-bonomi com> wrote:
> > Date: Mon, 12 Sep 2011 11:22:11 -0400
> > Subject: Re: Microsoft deems all DigiNotar certificates untrustworthy,
> >  releases updates
> > From: Christopher Morrow <morrowc.lists () gmail com>
> >
> > I think I need a method that the service operator can use to signal to my
> > user-client outside the certificate itself that the certificate
> > #1234 is the 'right' one.
>
> A certificate that cdrtifies the crertificate is valid, maybe?

so the DANE work does this, sort of... you sign (with dnssec) your
cert fingerprint, the client does a lookup (requiring dnssec signed
responses) to verify that the cert FP matches that which is in DNS.

> And why would you trust that any more than the origial certificate?

at least in this case the domain owner (presumably the service owner
in question) has signed (with their private key) the DNS content you
get back.

There are failure modes, but it's more in line with the
service-owner/service-user level not some oddball thirdparty.

> Seriously, about the only way I see to ameliorate this kind of problem is
> for people to use self-signed certificates that are then authenticated
> by _multiple_ 'trust anchors'.  If the end-user world raises warnings
> for a certificate 'authenticated' by say, less than five separate entities.
> then the compomise of any _single_ anchor is of pretty much 'no' value.
> Even better, let the user set the 'paranoia' level -- how many different
> 'trusted' authorities have to have authenticated the self-signed certificate
> before the user 'really trusts' it.

this almost sounds like GPS position fixing... 'require 4 satellites
in view', or something along those lines. Interesting as an idea
though.

-chris