[144383] in North American Network Operators' Group
Re: Microsoft deems all DigiNotar certificates untrustworthy,
daemon@ATHENA.MIT.EDU (Jimmy Hess)
Sat Sep 10 02:33:54 2011
In-Reply-To: <20110909214804.GA88934@blazingdot.com>
Date: Sat, 10 Sep 2011 01:33:25 -0500
From: Jimmy Hess <mysidia@gmail.com>
To: Marcus Reid <marcus@blazingdot.com>
Cc: NANOG mailing list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid <marcus@blazingdot.com> wrote:
> On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote:
> I like this response; instant CA death penalty seems to put the
> incentives about where they need to be.
I wouldn't necessarily count them dead just yet; although their legit
customers must be very unhappy waking up one day to find their
legitimate working SSL certs suddenly unusable....
So DigiNotar lost their "browser trusted" root CA status. That
doesn't necessarily mean they will
be unable to get other root CAs to cross-sign CA certificates they
will make in the future, for the right price.
A cross-sign with CA:TRUE is just as good as being installed in
users' browser.
--
-JH
