[144376] in North American Network Operators' Group
Re: Microsoft deems all DigiNotar certificates untrustworthy,
daemon@ATHENA.MIT.EDU (Michael DeMan)
Fri Sep 9 23:07:38 2011
From: Michael DeMan <nanog@deman.com>
In-Reply-To: <4E6A8B10.3030607@paulgraydon.co.uk>
Date: Fri, 9 Sep 2011 20:06:42 -0700
To: NANOG list <nanog@nanog.org>
Cc: Malachi de AElfweald <malachi@sharplabs.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Sorry for being ignorant here - I have not even been aware that it is =
possible to buy a '*.*.com' domain at all.
I though wildcards were limited to having a domain off a TLD - like =
'*.mydomain.tld'.
Is it true that the my browser on a windows, mac, or linux desktop may =
have listed as trusted authorities, an outfit that sells '*.*.tld' ?
Thanks,
- Mike
On Sep 9, 2011, at 2:54 PM, Paul wrote:
> On 09/09/2011 11:48 AM, Marcus Reid wrote:
>> On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote:
>>> FYI!!!
>>>=20
>>> =
http://seattletimes.nwsource.com/html/microsoftpri0/2016132391_microsoft_d=
ee
>>> ms_all_diginotar_certificates_untrust.html
>>>=20
>>> Google and Mozilla have also updated their browsers to block all =
DigiNotar
>>> certificates, while Apple has been silent on the issue, a emblematic =
zombie
>>> response!
>> Apple has sent out a notification saying that they are removing
>> DigiNotar from their list of trusted root certs.
>>=20
>> I like this response; instant CA death penalty seems to put the
>> incentives about where they need to be.
>>=20
>> Marcus
>>=20
> Instant? This has been going on for over a week, and a lot of damage =
could have been done in that time, especially given certs for *.*.com =
were signed against Diginotar. Most cell phones are unable to update =
their certificates without an upgrade and you know how long it takes to =
get them through Cell Phone carriers. A number of alternative android =
builds are adding the ability to control accepted root certs to their =
builds in the interest of speeding this up. The CA system is =
fundamentally flawed.
>=20
> Paul
>=20
