RE: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

At 13:00 11/09/2011 -0600, Keith Medcalf wrote: Damian Menscher wrote on 2011-09-11: > Because of that lost trust, any cross-signed cert would likely be > revoked by the browsers. It would also make the browser vendors > question whether the signing CA is worthy of their trust. And therein is

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

On Sun, Sep 11, 2011 at 01:34:43PM -0500, Joe Greco wrote: > > > Because of that lost trust, any cross-signed cert would likely be revoked > > > by > > > the browsers. It would also make the browser vendors question whether the > > > signing CA is worthy of their trust. > > > > To pop up the sta

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On 9/11/11 11:28 PM, Christopher Morrow wrote: On Sun, Sep 11, 2011 at 11:06 PM, Hughes, Scott GRE-MG wrote: Companies that wrap their services with generic domain names (paymybills.com and the like) have no one to blame but themselves when they are targeted by scammers and phishing schemes.

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Sun, Sep 11, 2011 at 11:06 PM, Hughes, Scott GRE-MG wrote: > Companies that wrap their services with generic domain names (paymybills.com > and the like) have no one to blame but themselves when they are targeted by > scammers and phishing schemes. Even EV certificates don't help when consume

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Sep 11, 2011, at 9:44 PM, "Christopher Morrow" wrote: > On Sun, Sep 11, 2011 at 10:23 PM, Jimmy Hess wrote: >> On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow >> wrote: >> >>> what's the real benefit of an EV cert? (to the service owner, not the >>> CA, the CA benefit is pretty clearly

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Sun, Sep 11, 2011 at 10:23 PM, Jimmy Hess wrote: > On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow > wrote: > >> what's the real benefit of an EV cert? (to the service owner, not the >> CA, the CA benefit is pretty clearly $$) > > The benefit is to the end user. > They see a green address

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow wrote: > what's the real benefit of an EV cert? (to the service owner, not the > CA, the CA benefit is pretty clearly $$) The benefit is to the end user. They see a green address bar with the company's name displayed. Yeah, company's name dis

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Sun, Sep 11, 2011 at 2:44 PM, Mike Jones wrote: > EV certificates have a > different status and probably still need the CA model what's the real benefit of an EV cert? (to the service owner, not the CA, the CA benefit is pretty clearly $$) -chris (I've never seen the value in EV or even DV ce

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Sun, Sep 11, 2011 at 3:37 PM, wrote: > On Sun, 11 Sep 2011 13:00:09 MDT, Keith Medcalf said: >> The current system provides no more authentication or confidentiality >> than if everyone simply used self-signed certificates. > > Not strictly true.  The current system at least gives you "you hav

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

somewhat rhetorically... On Sun, Sep 11, 2011 at 2:30 AM, Damian Menscher wrote: > Because of that lost trust, any cross-signed cert would likely be revoked by > the browsers.  It would also make the browser vendors question whether the > signing CA is worthy of their trust. given a list of ca'

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

In message <146102.1315769...@turing-police.cc.vt.edu>, valdis.kletni...@vt.edu writes: > (*) Has anybody actually enabled "only accept DNSSEC-signed A records" > on an end user system and left it enabled for more than a day before > giving up in disgust? ;) No. But I run with "reject anything

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Sun, Sep 11, 2011 at 4:02 PM, Jimmy Hess wrote: > On Sun, Sep 11, 2011 at 1:30 AM, Damian Menscher > wrote: > > On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess wrote: > > Because of that lost trust, any cross-signed cert would likely be revoked > by > > the browsers. It would also make the brow

Re: Why are we still using the CA model? (Re: Microsoft deems all

Neither at the moment--but it's close. -A On Sun, Sep 11, 2011 at 15:52, wrote: > On Sun, 11 Sep 2011 15:20:51 PDT, "Aaron C. de Bruyn" said: >> I'm pretty fond of the idea proposed by gpgAuth.One key to rule them >> all (and one password) combined with the client verifying the >> server.It's s

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Sun, Sep 11, 2011 at 1:30 AM, Damian Menscher wrote: > On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess wrote: > Because of that lost trust, any cross-signed cert would likely be revoked by > the browsers.  It would also make the browser vendors question whether the I am not engaging in speculatio

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Sun, 11 Sep 2011 15:20:51 PDT, "Aaron C. de Bruyn" said: > I'm pretty fond of the idea proposed by gpgAuth.One key to rule them > all (and one password) combined with the client verifying the > server.It's still in its infancy, but it works. Yes, but it needs to be something that either (a) Joe

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

https://bugzilla.mozilla.org/show_bug.cgi?id=647959 --- SNIP --- This is a request to add the CA root certificate for Honest Achmed's Used Cars and Certificates. The requested information as per the CA information checklist is as follows: 1. Name Honest Achmed's Used Cars and Certificates 2. W

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

I'm pretty fond of the idea proposed by gpgAuth.One key to rule them all (and one password) combined with the client verifying the server.It's still in its infancy, but it works. -A (Full disclosure: I work with the creator of gpgAuth in our day jobs) On Sun, Sep 11, 2011 at 11:47, Richard Barnes

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Sun, 11 Sep 2011 13:00:09 MDT, Keith Medcalf said: > The current system provides no more authentication or confidentiality > than if everyone simply used self-signed certificates. Not strictly true. The current system at least gives you "you have reached the hostname your browser tried to reac

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Sun, 11 Sep 2011 10:19:39 PDT, Joel jaeggli said: > To pop up the stack a bit it's the fact that an organization willing to > behave in that fashion was in my list of CA certs in the first place. > Yes they're blackballed now, better late than never I suppose. What does > that say about the pot

RE: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Damian Menscher wrote on 2011-09-11: > Because of that lost trust, any cross-signed cert would likely be > revoked by the browsers. It would also make the browser vendors > question whether the signing CA is worthy of their trust. And therein is the root of the problem: Trustworthiness is asses

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

There's an app^W^Wa Working Group for that. On Sun, Sep 11, 2011 at 2:44 PM, Mike Jones wrote: > On 11 September 2011 16:55, Bjørn Mork wrote: >> You can rewrite that: Trust is the CA business.  Trust has a price.  If >> the CA is not trusted, the price increases

Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On 11 September 2011 16:55, Bjørn Mork wrote: > You can rewrite that: Trust is the CA business.  Trust has a price.  If > the CA is not trusted, the price increases. > > Yes, they may end up out of business because of that price jump, but you > should not neglect the fact that trust is for sale he

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

2011/9/11, Joel jaeggli : > On 9/10/11 23:30 , Damian Menscher wrote: >> On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess wrote: >> >>> On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid >>> wrote: On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: I like this response; instant CA deat

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

> > Because of that lost trust, any cross-signed cert would likely be revoked by > > the browsers. It would also make the browser vendors question whether the > > signing CA is worthy of their trust. > > To pop up the stack a bit it's the fact that an organization willing to > behave in that fash

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

> To pop up the stack a bit it's the fact that an organization willing to > behave in that fashion was in my list of CA certs in the first place. > Yes they're blackballed now, better late than never I suppose. What does > that say about the potential for other CAs to behave in such a fashion? I'd

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On 9/10/11 23:30 , Damian Menscher wrote: > On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess wrote: > >> On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid wrote: >>> On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: >>> I like this response; instant CA death penalty seems to put the >>> incen

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Cameron Byrne writes: > Yep. The CA business is one of trust. If the CA is not trusted, they are out > of business. You can rewrite that: Trust is the CA business. Trust has a price. If the CA is not trusted, the price increases. Yes, they may end up out of business because of that price jump

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Sep 10, 2011 11:38 PM, "Damian Menscher" wrote: > > On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess wrote: > > > On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid wrote: > > > On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: > > > I like this response; instant CA death penalty seems to p

Re: NAT444 or ?

On Sep 11, 2011 4:33 AM, "Dobbins, Roland" wrote: > > On Sep 11, 2011, at 4:02 PM, Leigh Porter wrote: > > > I'd agree that, usually, distributed is better but these are not distributed networks, there is a single point (or a few large single points) of contact. > > The point is that these aggrega

Re: NAT444 or ?

On Sep 11, 2011, at 4:02 PM, Leigh Porter wrote: > I'd agree that, usually, distributed is better but these are not distributed > networks, there is a single point (or a few large single points) of contact. The point is that these aggregations of state are quite vulnerable, and therefore they s

Re: Access and Session Control System?

If you also want to control where they go from the jump box, you might want to look at http://www.xceedium.com/en/index.php as they claim to add rules to what a remotely logged in user can do. Juniper SA is very nice and get's intuitive after you familiriaze yourself with it's workflow which is a

RE: NAT444 or ?

> -Original Message- > From: Cameron Byrne [mailto:cb.li...@gmail.com] > Ip mobility via gtp or mobile ip generally does not work when you nat > at the > 'edge'. If you don't want your ip address to change every time you > change > cell sites, the nat has to be centralized. > > Cb Inde

Re: Hurricane Katia

Not so bad for UK but there is an extreme weather warning for the west of Ireland http://www.independent.ie/national-news/hurricane-alert-storm-winds-coming-as-katia-moves-in-2872652.html -- Sent from my Android tablet. Please excuse my brevity On Sep 11, 2011 2:53 AM, "Jay Mitchell" wrote: > Ju

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Damian Menscher wrote: The problem here wasn't just that DigiNotar was compromised, but that they didn't have an audit trail and attempted a coverup which resulted in real harm to users. It will be difficult to re-gain the trust they lost. Because of that lost trust, any cross-signed cert would