nanog mailing list archives

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

From: Valdis.Kletnieks () vt edu
Date: Mon, 12 Sep 2011 04:39:03 -0400

On Mon, 12 Sep 2011 04:39:52 -0000, Marcus Reid said:

You don't have to have the big fat Mozilla root cert bundle on your
machines.  Some OSes "ship" with an empty /etc/ssl, nobody tells you who
you trust.


And for those OS's (who are they, anyhow) that ship empty bundles,
how many CAs do you end up trusting anyhow?

How about a TXT record with the CN string of the CA cert subject in it?
If it exists and there's a conflict, don't trust it.  Seems simple
enough to implement without too much collateral damage.


Needs to be a DNSSEC-validated TXT record, or you've opened yourself up
to attacks via DNS poisoning (either insert a malicious TXT that matches your
malicious certificate, or insert a malicious TXT that intentionally *doesn't* match
the vicitm's certificate)....

Attachment: _bin
Description:

Current thread:

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates, (continued)
- - - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Damian Menscher (Sep 10)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Michael Painter (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Cameron Byrne (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Bjørn Mork (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Joel jaeggli (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates sthaug (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Martin Millnert (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Damian Menscher (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Joe Greco (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Marcus Reid (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Valdis . Kletnieks (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases fredrik danerklint (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Måns Nilsson (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Valdis . Kletnieks (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases fredrik danerklint (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Måns Nilsson (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Tony Finch (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases fredrik danerklint (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Tei (Sep 13)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Chris Adams (Sep 13)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Brett Frankenberger (Sep 13)

(Thread continues...)