[144427] in North American Network Operators' Group
Re: Microsoft deems all DigiNotar certificates untrustworthy,
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Sun Sep 11 21:58:53 2011
In-Reply-To: <CABSP1Ofnjj27TsA=U4zs7-tpU67pbysSVFygD=WYtJwyTXzDWw@mail.gmail.com>
Date: Sun, 11 Sep 2011 21:57:59 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Damian Menscher <damian@google.com>
Cc: NANOG mailing list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
somewhat rhetorically...
On Sun, Sep 11, 2011 at 2:30 AM, Damian Menscher <damian@google.com> wrote:
> Because of that lost trust, any cross-signed cert would likely be revoked=
by
> the browsers. =A0It would also make the browser vendors question whether =
the
> signing CA is worthy of their trust.
given a list of ca's and certs to invalidate ... how large a list
would be practical in a browser? (baked in I mean)
(not very, relative to the size of the domain system today)
Is this scalable?
(no)
Is this the only answer we have left?
(no)
-chris
(I'm not sure what better answers there are to the situation we are in
today, I do like the work in DANE-WG though... it'll be a while before
it's practical to use though, I fear)
