On Sep 10, 2011 11:38 PM, "Damian Menscher" <dam...@google.com> wrote: > > On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess <mysi...@gmail.com> wrote: > > > On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid <mar...@blazingdot.com> wrote: > > > On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: > > > I like this response; instant CA death penalty seems to put the > > > incentives about where they need to be. > > > > I wouldn't necessarily count them dead just yet; although their legit > > customers must be very unhappy waking up one day to find their > > legitimate working SSL certs suddenly unusable.... > > > > So DigiNotar lost their "browser trusted" root CA status. That > > doesn't necessarily mean they will > > be unable to get other root CAs to cross-sign CA certificates they > > will make in the future, for the right price. > > > > A cross-sign with CA:TRUE is just as good as being installed in > > users' browser. > > > > The problem here wasn't just that DigiNotar was compromised, but that they > didn't have an audit trail and attempted a coverup which resulted in real > harm to users. It will be difficult to re-gain the trust they lost. > > Because of that lost trust, any cross-signed cert would likely be revoked by > the browsers. It would also make the browser vendors question whether the > signing CA is worthy of their trust. >
Yep. The CA business is one of trust. If the CA is not trusted, they are out of business. Cb > Damian > -- > Damian Menscher :: Security Reliability Engineer :: Google
