[144409] in North American Network Operators' Group
Re: Microsoft deems all DigiNotar certificates untrustworthy,
daemon@ATHENA.MIT.EDU (Cameron Byrne)
Sun Sep 11 11:50:01 2011
In-Reply-To: <CABSP1Ofnjj27TsA=U4zs7-tpU67pbysSVFygD=WYtJwyTXzDWw@mail.gmail.com>
Date: Sun, 11 Sep 2011 08:49:33 -0700
From: Cameron Byrne <cb.list6@gmail.com>
To: Damian Menscher <damian@google.com>
Cc: NANOG mailing list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sep 10, 2011 11:38 PM, "Damian Menscher" <damian@google.com> wrote:
>
> On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess <mysidia@gmail.com> wrote:
>
> > On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid <marcus@blazingdot.com>
wrote:
> > > On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote:
> > > I like this response; instant CA death penalty seems to put the
> > > incentives about where they need to be.
> >
> > I wouldn't necessarily count them dead just yet; although their legit
> > customers must be very unhappy waking up one day to find their
> > legitimate working SSL certs suddenly unusable....
> >
> > So DigiNotar lost their "browser trusted" root CA status. That
> > doesn't necessarily mean they will
> > be unable to get other root CAs to cross-sign CA certificates they
> > will make in the future, for the right price.
> >
> > A cross-sign with CA:TRUE is just as good as being installed in
> > users' browser.
> >
>
> The problem here wasn't just that DigiNotar was compromised, but that they
> didn't have an audit trail and attempted a coverup which resulted in real
> harm to users. It will be difficult to re-gain the trust they lost.
>
> Because of that lost trust, any cross-signed cert would likely be revoked
by
> the browsers. It would also make the browser vendors question whether the
> signing CA is worthy of their trust.
>
Yep. The CA business is one of trust. If the CA is not trusted, they are out
of business.
Cb
> Damian
> --
> Damian Menscher :: Security Reliability Engineer :: Google
