[144403] in North American Network Operators' Group
Re: Microsoft deems all DigiNotar certificates untrustworthy,
daemon@ATHENA.MIT.EDU (Michael Painter)
Sun Sep 11 03:33:57 2011
From: "Michael Painter" <tvhawaii@shaka.com>
To: "Damian Menscher" <damian@google.com>
Date: Sat, 10 Sep 2011 21:33:17 -1000
Cc: NANOG mailing list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Damian Menscher wrote:
> The problem here wasn't just that DigiNotar was compromised, but that they
> didn't have an audit trail and attempted a coverup which resulted in real
> harm to users. It will be difficult to re-gain the trust they lost.
>
> Because of that lost trust, any cross-signed cert would likely be revoked by
> the browsers. It would also make the browser vendors question whether the
> signing CA is worthy of their trust.
>
> Damian
I'd be interested in hearing what you have to say about the hacker's claim at:
http://pastebin.com/85WV10EL
"d) I'm able to issue windows update, Microsoft's statement about Windows Update and that I can't issue such update is
totally false! I already reversed ENTIRE windows update protocol, how it reads XMLs via SSL which includes URL, KB no,
SHA-1 hash of file for each update, how it verifies that downloaded file is signed using WinVerifyTrust API, and... Simply
I can issue updates via windows update!"
Thanks,
--Michael
