[144474] in North American Network Operators' Group
Re: Microsoft deems all DigiNotar certificates untrustworthy,
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Mon Sep 12 14:01:57 2011
In-Reply-To: <201109121739.p8CHdovQ002359@mail.r-bonomi.com>
Date: Mon, 12 Sep 2011 14:00:06 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Robert Bonomi <bonomi@mail.r-bonomi.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, Sep 12, 2011 at 1:39 PM, Robert Bonomi <bonomi@mail.r-bonomi.com> w=
rote:
>
>> Date: Mon, 12 Sep 2011 11:22:11 -0400
>> Subject: Re: Microsoft deems all DigiNotar certificates untrustworthy,
>> =A0releases updates
>> From: Christopher Morrow <morrowc.lists@gmail.com>
>>
>> I think I need a method that the service operator can use to signal to m=
y
>> user-client outside the certificate itself that the certificate
>> #1234 is the 'right' one.
>
> A certificate that cdrtifies the crertificate is valid, maybe?
so the DANE work does this, sort of... you sign (with dnssec) your
cert fingerprint, the client does a lookup (requiring dnssec signed
responses) to verify that the cert FP matches that which is in DNS.
> And why would you trust that any more than the origial certificate?
at least in this case the domain owner (presumably the service owner
in question) has signed (with their private key) the DNS content you
get back.
There are failure modes, but it's more in line with the
service-owner/service-user level not some oddball thirdparty.
> Seriously, about the only way I see to ameliorate this kind of problem is
> for people to use self-signed certificates that are then authenticated
> by _multiple_ 'trust anchors'. =A0If the end-user world raises warnings
> for a certificate 'authenticated' by say, less than five separate entitie=
s.
> then the compomise of any _single_ anchor is of pretty much 'no' value.
> Even better, let the user set the 'paranoia' level -- how many different
> 'trusted' authorities have to have authenticated the self-signed certific=
ate
> before the user 'really trusts' it.
>
this almost sounds like GPS position fixing... 'require 4 satellites
in view', or something along those lines. Interesting as an idea
though.
-chris
