[144414] in North American Network Operators' Group
Re: Microsoft deems all DigiNotar certificates untrustworthy,
daemon@ATHENA.MIT.EDU (lgomes00@gmail.com)
Sun Sep 11 14:43:19 2011
In-Reply-To: <4E6CEDAB.4070307@bogus.com>
Date: Sun, 11 Sep 2011 15:42:48 -0300
From: lgomes00@gmail.com
To: Joel jaeggli <joelja@bogus.com>, Damian Menscher <damian@google.com>,
NANOG mailing list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
2011/9/11, Joel jaeggli <joelja@bogus.com>:
> On 9/10/11 23:30 , Damian Menscher wrote:
>> On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess <mysidia@gmail.com> wrote:
>>
>>> On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid <marcus@blazingdot.com>
>>> wrote:
>>>> On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote:
>>>> I like this response; instant CA death penalty seems to put the
>>>> incentives about where they need to be.
>>>
>>> I wouldn't necessarily count them dead just yet; although their legit
>>> customers must be very unhappy waking up one day to find their
>>> legitimate working SSL certs suddenly unusable....
>>>
>>> So DigiNotar lost their "browser trusted" root CA status. That
>>> doesn't necessarily mean they will
>>> be unable to get other root CAs to cross-sign CA certificates they
>>> will make in the future, for the right price.
>>>
>>> A cross-sign with CA:TRUE is just as good as being installed in
>>> users' browser.
>>>
>>
>> The problem here wasn't just that DigiNotar was compromised, but that they
>> didn't have an audit trail and attempted a coverup which resulted in real
>> harm to users. It will be difficult to re-gain the trust they lost.
>>
>> Because of that lost trust, any cross-signed cert would likely be revoked
>> by
>> the browsers. It would also make the browser vendors question whether the
>> signing CA is worthy of their trust.
>
> To pop up the stack a bit it's the fact that an organization willing to
> behave in that fashion was in my list of CA certs in the first place.
> Yes they're blackballed now, better late than never I suppose. What does
> that say about the potential for other CAs to behave in such a fashion?
>
>> Damian
>
>
>
--
Enviado do meu celular
Luciano P.Gomes
http://lgomes00.blogspot.com/
