[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Microsoft deems all DigiNotar certificates untrustworthy, releases updates
- Subject: Microsoft deems all DigiNotar certificates untrustworthy, releases updates
- From: tvhawaii at shaka.com (Michael Painter)
- Date: Sat, 10 Sep 2011 21:33:17 -1000
- References: <[email protected]> <[email protected]> <CAAAwwbUqiRnJws_hi=5at4uN-cn+qq7PqsYSeWO_OizQkrVyrA@mail.gmail.com> <CABSP1Ofnjj27TsA=U4zs7-tpU67pbysSVFygD=WYtJwyTXzDWw@mail.gmail.com>
Damian Menscher wrote:
> The problem here wasn't just that DigiNotar was compromised, but that they
> didn't have an audit trail and attempted a coverup which resulted in real
> harm to users. It will be difficult to re-gain the trust they lost.
>
> Because of that lost trust, any cross-signed cert would likely be revoked by
> the browsers. It would also make the browser vendors question whether the
> signing CA is worthy of their trust.
>
> Damian
I'd be interested in hearing what you have to say about the hacker's claim at:
http://pastebin.com/85WV10EL
"d) I'm able to issue windows update, Microsoft's statement about Windows Update and that I can't issue such update is
totally false! I already reversed ENTIRE windows update protocol, how it reads XMLs via SSL which includes URL, KB no,
SHA-1 hash of file for each update, how it verifies that downloaded file is signed using WinVerifyTrust API, and... Simply
I can issue updates via windows update!"
Thanks,
--Michael