[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Microsoft deems all DigiNotar certificates untrustworthy, releases updates
- Subject: Microsoft deems all DigiNotar certificates untrustworthy, releases updates
- From: morrowc.lists at gmail.com (Christopher Morrow)
- Date: Mon, 12 Sep 2011 11:22:11 -0400
- In-reply-to: <[email protected]>
- References: <[email protected]> <[email protected]> <CAL9jLaZL8UygQjjcvaCbpW0qBqnSrygJb6HQTK4gh=NH45aCAg@mail.gmail.com> <[email protected]>
On Mon, Sep 12, 2011 at 4:39 AM, <Valdis.Kletnieks at vt.edu> wrote:
> On Sun, 11 Sep 2011 22:01:47 EDT, Christopher Morrow said:
>> If I have a thawte cert for valdis.com on host A and one from comodo
>> on host B... which is the right one?
>
> You wouldn't have 2 certs for that... I'd have *one* cert for that. And if when
> you got to the IP address you were trying to reach, the cert didn't validate as
> matching the hostname, you know something fishy is up.
>
> And if you *do* have two certs for it, I'd like to talk to the bozos at
> Thawte and Comodo who obviously didn't check the paperwork. ;)
this has already happened with mozilla.com, google.com, microsoft.com
.... my point was that as a user, and as a service operator, what in
today's CA world helps me know that the service operator's certificate
is what my user-client sees? some 'trust' in the fact that
thawte/comodo/verisign/cnnic didn't issue a cert for the
service-operator's service incorrectly?
I think I need a method that the service operator can use to signal to
my user-client outside the certificate itself that the certificate
#1234 is the 'right' one.