[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Microsoft deems all DigiNotar certificates untrustworthy, releases updates
- Subject: Microsoft deems all DigiNotar certificates untrustworthy, releases updates
- From: damian at google.com (Damian Menscher)
- Date: Sat, 10 Sep 2011 23:30:54 -0700
- In-reply-to: <CAAAwwbUqiRnJws_hi=5at4uN-cn+qq7PqsYSeWO_OizQkrVyrA@mail.gmail.com>
- References: <[email protected]> <[email protected]> <CAAAwwbUqiRnJws_hi=5at4uN-cn+qq7PqsYSeWO_OizQkrVyrA@mail.gmail.com>
On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess <mysidia at gmail.com> wrote:
> On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid <marcus at blazingdot.com> wrote:
> > On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote:
> > I like this response; instant CA death penalty seems to put the
> > incentives about where they need to be.
>
> I wouldn't necessarily count them dead just yet; although their legit
> customers must be very unhappy waking up one day to find their
> legitimate working SSL certs suddenly unusable....
>
> So DigiNotar lost their "browser trusted" root CA status. That
> doesn't necessarily mean they will
> be unable to get other root CAs to cross-sign CA certificates they
> will make in the future, for the right price.
>
> A cross-sign with CA:TRUE is just as good as being installed in
> users' browser.
>
The problem here wasn't just that DigiNotar was compromised, but that they
didn't have an audit trail and attempted a coverup which resulted in real
harm to users. It will be difficult to re-gain the trust they lost.
Because of that lost trust, any cross-signed cert would likely be revoked by
the browsers. It would also make the browser vendors question whether the
signing CA is worthy of their trust.
Damian
--
Damian Menscher :: Security Reliability Engineer :: Google