[144459] in North American Network Operators' Group
Re: Microsoft deems all DigiNotar certificates untrustworthy,
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Mon Sep 12 11:22:56 2011
In-Reply-To: <167290.1315816763@turing-police.cc.vt.edu>
Date: Mon, 12 Sep 2011 11:22:11 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Valdis.Kletnieks@vt.edu
Cc: North American Network Operators Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, Sep 12, 2011 at 4:39 AM, <Valdis.Kletnieks@vt.edu> wrote:
> On Sun, 11 Sep 2011 22:01:47 EDT, Christopher Morrow said:
>> If I have a thawte cert for valdis.com on host A and one from comodo
>> on host B... which is the right one?
>
> You wouldn't have 2 certs for that... I'd have *one* cert for that. And if when
> you got to the IP address you were trying to reach, the cert didn't validate as
> matching the hostname, you know something fishy is up.
>
> And if you *do* have two certs for it, I'd like to talk to the bozos at
> Thawte and Comodo who obviously didn't check the paperwork. ;)
this has already happened with mozilla.com, google.com, microsoft.com
.... my point was that as a user, and as a service operator, what in
today's CA world helps me know that the service operator's certificate
is what my user-client sees? some 'trust' in the fact that
thawte/comodo/verisign/cnnic didn't issue a cert for the
service-operator's service incorrectly?
I think I need a method that the service operator can use to signal to
my user-client outside the certificate itself that the certificate
#1234 is the 'right' one.
