[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Microsoft deems all DigiNotar certificates untrustworthy, releases

Subject: Microsoft deems all DigiNotar certificates untrustworthy, releases
From: fredan-nanog at fredan.se (fredrik danerklint)
Date: Mon, 12 Sep 2011 11:46:04 +0200
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]> <[email protected]>

> > How about a TXT record with the CN string of the CA cert subject in it?
> > If it exists and there's a conflict, don't trust it.  Seems simple
> > enough to implement without too much collateral damage.
> 
> Needs to be a DNSSEC-validated TXT record, or you've opened yourself up
> to attacks via DNS poisoning (either insert a malicious TXT that matches
> your malicious certificate, or insert a malicious TXT that intentionally
> *doesn't* match the vicitm's certificate)....

And how do you validate the dnssec to make sure that noone has tampered with 
it.

-- 
//fredan

Follow-Ups:
- Microsoft deems all DigiNotar certificates untrustworthy, releases
  - From: mansaxel at besserwisser.org (Måns Nilsson)

References:
- Microsoft deems all DigiNotar certificates untrustworthy, releases updates
  - From: joelja at bogus.com (Joel jaeggli)
- Microsoft deems all DigiNotar certificates untrustworthy, releases
  - From: marcus at blazingdot.com (Marcus Reid)
- Microsoft deems all DigiNotar certificates untrustworthy, releases
  - From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu)

Prev by Date: Microsoft deems all DigiNotar certificates untrustworthy, releases updates
Next by Date: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
Previous by thread: Microsoft deems all DigiNotar certificates untrustworthy, releases
Next by thread: Microsoft deems all DigiNotar certificates untrustworthy, releases
Index(es):
- Date
- Thread