nanog mailing list archives
Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates
From: Cameron Byrne <cb.list6 () gmail com>
Date: Sun, 11 Sep 2011 08:49:33 -0700
On Sep 10, 2011 11:38 PM, "Damian Menscher" <damian () google com> wrote:
On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess <mysidia () gmail com> wrote:On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid <marcus () blazingdot com>
wrote:
On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: I like this response; instant CA death penalty seems to put the incentives about where they need to be.I wouldn't necessarily count them dead just yet; although their legit customers must be very unhappy waking up one day to find their legitimate working SSL certs suddenly unusable.... So DigiNotar lost their "browser trusted" root CA status. That doesn't necessarily mean they will be unable to get other root CAs to cross-sign CA certificates they will make in the future, for the right price. A cross-sign with CA:TRUE is just as good as being installed in users' browser.The problem here wasn't just that DigiNotar was compromised, but that they didn't have an audit trail and attempted a coverup which resulted in real harm to users. It will be difficult to re-gain the trust they lost. Because of that lost trust, any cross-signed cert would likely be revoked
by
the browsers. It would also make the browser vendors question whether the signing CA is worthy of their trust.
Yep. The CA business is one of trust. If the CA is not trusted, they are out of business. Cb
Damian -- Damian Menscher :: Security Reliability Engineer :: Google
Current thread:
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates, (continued)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Alexander Harrowell (Sep 07)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Marcus Reid (Sep 09)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Paul (Sep 09)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Michael DeMan (Sep 09)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Dan White (Sep 09)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Heinrich Strauss (Sep 10)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Jimmy Hess (Sep 10)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Paul (Sep 09)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Jimmy Hess (Sep 09)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Damian Menscher (Sep 10)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Michael Painter (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Cameron Byrne (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Bjørn Mork (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Joel jaeggli (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates sthaug (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Martin Millnert (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Damian Menscher (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Joe Greco (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Marcus Reid (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Valdis . Kletnieks (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases fredrik danerklint (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Måns Nilsson (Sep 12)