Re: Opta revokes Diginotar TTP license (Was: Microsoft deems all DigiNotar certificates untrustworthy, releases)

On Wed, 2011-09-14 at 19:16 +0200, Jeroen Massar wrote: > And to end this thread as this effectively ends Diginotar troubles for > the Interwebz: > > Dutch official statement: > http://www.opta.nl/nl/actueel/alle-publicaties/publicatie/?id=3469 Bedankt. Vertaling (my own translation, niet slech

Opta revokes Diginotar TTP license (Was: Microsoft deems all DigiNotar certificates untrustworthy, releases)

And to end this thread as this effectively ends Diginotar troubles for the Interwebz: Dutch official statement: http://www.opta.nl/nl/actueel/alle-publicaties/publicatie/?id=3469 English Summary "OPTA revokes Diginotar License as TTP": http://www.circleid.com/posts/opta_revokes_diginotar_license_

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

The problem that I see with browser response to self-signed (or org generated) certs is not the warning(s) but the assertion that the cert is invalid. Not issued by one of the players in the Protection Racket does not make the cert invalid. It may be untrustable, unreliable, from an unknown and/

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

On Tue, Sep 13, 2011 at 11:55 PM, Ted Cooper wrote: > > As claimed by the DigiNotar hacker - He compromised their servers but > Eddy was manually approving certs at the time and so no certs were signed. > > There was information about it on the site, but it seems to be gone now. > Articles still s

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

On 14/09/11 13:44, Christopher Morrow wrote: > On Tue, Sep 13, 2011 at 11:33 PM, Jima wrote: >> Huh? I'm a bit lost here, since I had two StartSSL certs issued yesterday >> afternoon. > > orly? wierd, they made a press release ~last-june (I think?) stating > they were stopping issuance indefini

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

On Tue, Sep 13, 2011 at 11:44 PM, Christopher Morrow wrote: > On Tue, Sep 13, 2011 at 11:33 PM, Jima wrote: >> On 2011-09-13 20:26, Christopher Morrow wrote: >>> >>> On Tue, Sep 13, 2011 at 11:22 AM, Michiel Klaver >>>  wrote: No need for (financial) pain, there are free of charge ssl c

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

On Tue, Sep 13, 2011 at 11:33 PM, Jima wrote: > On 2011-09-13 20:26, Christopher Morrow wrote: >> >> On Tue, Sep 13, 2011 at 11:22 AM, Michiel Klaver >>  wrote: >>> >>> No need for (financial) pain, there are free of charge ssl certificates >>> available, see for example: >>> >>> http://www.starts

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

On 2011-09-13 20:26, Christopher Morrow wrote: On Tue, Sep 13, 2011 at 11:22 AM, Michiel Klaver wrote: No need for (financial) pain, there are free of charge ssl certificates available, see for example: http://www.startssl.com/?app=1 eddy stopped issuing Huh? I'm a bit lost here, since I

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

On Tue, Sep 13, 2011 at 11:22 AM, Michiel Klaver wrote: > At 22-07-28164 20:59, Tei wrote: >> >> *a random php programmer shows* >> >> He, I just want to self-sign my CERT's and remove the ugly warning that >> browsers shows. I don't want to pay 1000$ a year, or 1$ a year for that. I >> just don't

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

Once upon a time, valdis.kletni...@vt.edu said: > If you use SSH to connect, and either ignore the "host key has changed" or > "authenticity can't be established, continue connecting?" messages, you get > what you deserve - those are the *exact* same issues that your browser warns > about self-sig

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

At 22-07-28164 20:59, Tei wrote: *a random php programmer shows* He, I just want to self-sign my CERT's and remove the ugly warning that browsers shows. I don't want to pay 1000$ a year, or 1$ a year for that. I just don't want to use cleartext for internet data transfer. HTTP is like telnet, a

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

Once upon a time, Brett Frankenberger said: > On Tue, Sep 13, 2011 at 09:45:39AM -0500, Chris Adams wrote: > > Once upon a time, Tei said: > > > He, I just want to self-sign my CERT's and remove the ugly warning that > > > browsers shows. > > > > SSL without some verification of the far end is u

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

On Tue, 13 Sep 2011 16:29:30 +0200, Tei said: > He, I just want to self-sign my CERT's and remove the ugly warning that > browsers shows. I don't want to pay 1000$ a year, or 1$ a year for that. I The warning is there for a *reason* - namely that if you have a self-signed cert, a first time visito

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

On Tue, Sep 13, 2011 at 09:45:39AM -0500, Chris Adams wrote: > Once upon a time, Tei said: > > He, I just want to self-sign my CERT's and remove the ugly warning that > > browsers shows. > > SSL without some verification of the far end is useless, as a > man-in-the-middle attack can create self-s

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

On 9/13/2011 10:29 AM, Tei wrote: *a random php programmer shows* He, I just want to self-sign my CERT's and remove the ugly warning that browsers shows. I don't want to pay 1000$ a year, or 1$ a year for that. I just don't want to use cleartext for internet data transfer. HTTP is like telnet,

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

Really? You can "just connect" with SSH? root@somebox:~# ssh 1.2.3.4 The authenticity of host '1.2.3.4 (1.2.3.4)' can't be established. RSA key fingerprint is 03:26:2c:b2:cd:fd:05:fc:87:70:4b:06:58:40:e7:c3. Are you sure you want to continue connecting (yes/no)? That's no different that having

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

Once upon a time, Tei said: > He, I just want to self-sign my CERT's and remove the ugly warning that > browsers shows. SSL without some verification of the far end is useless, as a man-in-the-middle attack can create self-signed certs just as easily. -- Chris Adams Systems and Network Adminis

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

*a random php programmer shows* He, I just want to self-sign my CERT's and remove the ugly warning that browsers shows. I don't want to pay 1000$ a year, or 1$ a year for that. I just don't want to use cleartext for internet data transfer. HTTP is like telnet, and HTTPS is like ssh. But with ssh

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Mon, Sep 12, 2011 at 6:23 AM, Gregory Edigarov wrote: > I.e. instead of a set of trusted CAs there will be one distributed net > of servers, that act as a cert storage? > I do not see how that could help... More lines of defense on top of the CA model. Consider instead of abandoning the CA mode

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Mon, Sep 12, 2011 at 11:00:47PM +0100, Tony Finch wrote: > Note that a big weak point in the DNS is the interface between the > registrars and the registry. If you have a domain you have to trust the > registry to impose suitable restrictions on its registrars to prevent a > dodgy registrar from

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

Tony, Thanks for this explanation! I think this is what I've been looking for regarding securing DNSSEC. > > and how about a end user, who doesn't understand a computer at all, to > > be able verify the signatures, correctly? > > The current trust model for DNSSEC relies on the vendor of the

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

> > > > with dane, i trust whoever runs dns for citibank to identify the cert > > > > for citibank. this seems much more reasonable than other approaches, > > > > though i admit to not having dived deeply into them all. > > > If the root DNS keys were compromised in an all DNS rooted world... > >

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

fredrik danerklint wrote: > > and how about a end user, who doesn't understand a computer at all, to > be able verify the signatures, correctly? The current trust model for DNSSEC relies on the vendor of the validator to bootstrap trust in the root key. This is partly a matter of pragmatism since

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Mike Jones wrote: > > DNSSEC deployment is advanced enough now to do that automatically at the > client. Sadly not quite. DNSSEC does have the potential to provide an alternative public key infrastructure, and I'm keen to see that happen. But although it works well between authoritative servers a

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Mon, 12 Sep 2011, Gregory Edigarov wrote: > On Mon, 12 Sep 2011 12:12:08 +0200 > Martin Millnert wrote: > > > Mike, > > > > On Sun, Sep 11, 2011 at 8:44 PM, Mike Jones wrote: > > > It will take a while to get updated browsers rolled out to enough > > > users for it do be practical to start

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

Subject: Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Date: Mon, Sep 12, 2011 at 10:42:35PM +0200 Quoting fredrik danerklint (fredan-na...@fredan.se): > > Quite trivial, in fact. > > and how about a end user, who doesn't understand a computer at a

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

> > > > How about a TXT record with the CN string of the CA cert subject in > > > > it? If it exists and there's a conflict, don't trust it. Seems > > > > simple enough to implement without too much collateral damage. > > > > > > Needs to be a DNSSEC-validated TXT record, or you've opened yoursel

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

On Mon, 12 Sep 2011 22:31:59 +0200, Måns Nilsson said: > Since you are from Sweden, and in an IT job, you probably have personal > relations to someone who has personal relations to one of the swedes > or other nationalities that were present at the key ceremonies for the > root. Once you've estab

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

Subject: Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Date: Mon, Sep 12, 2011 at 11:46:04AM +0200 Quoting fredrik danerklint (fredan-na...@fredan.se): > > > How about a TXT record with the CN string of the CA cert subject in it? > > > If it exists and

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On 9/12/11 4:32 PM, Jason Duerstock wrote: > Except that this just shifts the burden of trust on to DNSSEC, which > also necessitates a central authority of 'trust'. Unless there's an > explicitly more secure way of storing DNSSEC private keys, this just > moves the bullseye from CAs to DNSSEC s

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On 12 September 2011 18:39, Robert Bonomi wrote: > Seriously, about the only way I see to ameliorate this kind of problem is > for people to use self-signed certificates that are then authenticated > by _multiple_ 'trust anchors'.  If the end-user world raises warnings > for a certificate 'authent

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Mon, Sep 12, 2011 at 1:39 PM, Robert Bonomi wrote: > >> Date: Mon, 12 Sep 2011 11:22:11 -0400 >> Subject: Re: Microsoft deems all DigiNotar certificates untrustworthy, >>  releases updates >> From: Christopher Morrow >> >> I think I need a method that th

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Mon, Sep 12, 2011 at 7:09 AM, Martin Millnert wrote: > > Something similar, including use of purchased (not only limited to > stolen certs), is ongoing already, all of the time. (I had a fellow > IRC-chat-friend report from a certain very western-allied middle > eastern country that there's I

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

> Date: Mon, 12 Sep 2011 11:22:11 -0400 > Subject: Re: Microsoft deems all DigiNotar certificates untrustworthy, > releases updates > From: Christopher Morrow > > I think I need a method that the service operator can use to signal to my > user-client outside the certif

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On 13/09/11 01:12, Randy Bush wrote: >>> as eliot pointed out, to defeat dane as currently written, you would >>> have to compromise dnssec at the same time as you compromised the CA at >>> the same time as you ran the mitm. i.e. it _adds_ dnssec assurance to >>> CA trust. >> Yes, I saw that. It a

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Martin Millnert wrote: On Mon, Sep 12, 2011 at 5:09 PM, Michael Thomas wrote: And how long would it be before browsers allowed self-signed-but-ok'ed-using-dnssec-protected-cert-hashes? As previously mentioned, Chrome >= v14 already does. The perils of coming in late in a thread :) Mike

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Mon, Sep 12, 2011 at 4:39 AM, wrote: > On Sun, 11 Sep 2011 22:01:47 EDT, Christopher Morrow said: >> If I have a thawte cert for valdis.com on host A and one from comodo >> on host B... which is the right one? > > You wouldn't have 2 certs for that... I'd have *one* cert for that. And if > wh

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Mon, Sep 12, 2011 at 5:09 PM, Michael Thomas wrote: > And how long would it be before browsers allowed > self-signed-but-ok'ed-using-dnssec-protected-cert-hashes? As previously mentioned, Chrome >= v14 already does. Regards, Martin

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

>> as eliot pointed out, to defeat dane as currently written, you would >> have to compromise dnssec at the same time as you compromised the CA at >> the same time as you ran the mitm. i.e. it _adds_ dnssec assurance to >> CA trust. > Yes, I saw that. It also drives up complexity too and makes you

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Randy Bush wrote: with dane, i trust whoever runs dns for citibank to identify the cert for citibank. this seems much more reasonable than other approaches, though i admit to not having dived deeply into them all. If the root DNS keys were compromised in an all DNS rooted world... unhappiness w

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Mon, 12 Sep 2011 07:53:57 -0700 Michael Thomas wrote: > Randy Bush wrote: > >> But Gregory is right, you cannot really trust anybody completely. > >> Even the larger and more respectable commercial organisations will > >> be unable to resist when they ask > >> for dodgy certs so they can inte

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

>> with dane, i trust whoever runs dns for citibank to identify the cert >> for citibank. this seems much more reasonable than other approaches, >> though i admit to not having dived deeply into them all. > If the root DNS keys were compromised in an all DNS rooted world... > unhappiness would ens

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Randy Bush wrote: But Gregory is right, you cannot really trust anybody completely. Even the larger and more respectable commercial organisations will be unable to resist when they ask for dodgy certs so they can intercept something.. No, as soon as you have somebody who is not yourself in cont

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

> But Gregory is right, you cannot really trust anybody completely. Even > the larger and more respectable commercial organisations will be > unable to resist when they ask for > dodgy certs so they can intercept something.. > > No, as soon as you have somebody who is not yourself in control > wi

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Except that this just shifts the burden of trust on to DNSSEC, which also necessitates a central authority of 'trust'. Unless there's an explicitly more secure way of storing DNSSEC private keys, this just moves the bullseye from CAs to DNSSEC signers. Jason On Mon, Sep 12, 2011 at 5:30 AM, Elio

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Sep 11, 2011, at 11:06 PM, Hughes, Scott GRE-MG wrote: > Companies that wrap their services with generic domain names (paymybills.com > and the like) have no one to blame but themselves when they are targeted by > scammers and phishing schemes. Even EV certificates don't help when consumers

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Steinar, On Sun, Sep 11, 2011 at 8:12 PM, wrote: >> To pop up the stack a bit it's the fact that an organization willing to >> behave in that fashion was in my list of CA certs in the first place. >> Yes they're blackballed now, better late than never I suppose. What does >> that say about the p

RE: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

> -Original Message- > From: Gregory Edigarov [mailto:g...@bestnet.kharkov.ua] > I.e. instead of a set of trusted CAs there will be one distributed net > of servers, that act as a cert storage? > I do not see how that could help... > Well, I do not even see how can one trust any certifica

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

> > I think that it's hard to cope with SSL. It doesn't do the right things > > for the right reasons. Many of us, for example, operate local root CA's > > for signing of "internal" stuff; all our company gear trusts our local > > root CA and lots of stuff has certs issued by it. In an ideal wor

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Gregory, On Mon, Sep 12, 2011 at 1:23 PM, Gregory Edigarov wrote: > On Mon, 12 Sep 2011 12:12:08 +0200 > Martin Millnert wrote: > >> Mike, >> >> On Sun, Sep 11, 2011 at 8:44 PM, Mike Jones wrote: >> > It will take a while to get updated browsers rolled out to enough >> > users for it do be prac

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Mon, 12 Sep 2011 12:12:08 +0200 Martin Millnert wrote: > Mike, > > On Sun, Sep 11, 2011 at 8:44 PM, Mike Jones wrote: > > It will take a while to get updated browsers rolled out to enough > > users for it do be practical to start using DNS based self-signed > > certificated instead of CA-Sig

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Mike, On Sun, Sep 11, 2011 at 8:44 PM, Mike Jones wrote: > It will take a while to get updated browsers rolled out to enough > users for it do be practical to start using DNS based self-signed > certificated instead of CA-Signed certificates, so why don't any > browsers have support yet? are any

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

> > How about a TXT record with the CN string of the CA cert subject in it? > > If it exists and there's a conflict, don't trust it. Seems simple > > enough to implement without too much collateral damage. > > Needs to be a DNSSEC-validated TXT record, or you've opened yourself up > to attacks vi

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Hank and everyone, This is a very interesting problem. As it happens, some folks in the IETF have anticipated this one. For those who are interested, Paul Hoffman and Jakob Schlyter have been working within the DANE working group at the IETF to provide for a means to alleviate some of the respon

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Sun, 11 Sep 2011 22:01:47 EDT, Christopher Morrow said: > If I have a thawte cert for valdis.com on host A and one from comodo > on host B... which is the right one? You wouldn't have 2 certs for that... I'd have *one* cert for that. And if when you got to the IP address you were trying to reac

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

On Mon, 12 Sep 2011 04:39:52 -, Marcus Reid said: > You don't have to have the big fat Mozilla root cert bundle on your > machines. Some OSes "ship" with an empty /etc/ssl, nobody tells you who > you trust. And for those OS's (who are they, anyhow) that ship empty bundles, how many CAs do yo

RE: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

At 13:00 11/09/2011 -0600, Keith Medcalf wrote: Damian Menscher wrote on 2011-09-11: > Because of that lost trust, any cross-signed cert would likely be > revoked by the browsers. It would also make the browser vendors > question whether the signing CA is worthy of their trust. And therein is

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

On Sun, Sep 11, 2011 at 01:34:43PM -0500, Joe Greco wrote: > > > Because of that lost trust, any cross-signed cert would likely be revoked > > > by > > > the browsers. It would also make the browser vendors question whether the > > > signing CA is worthy of their trust. > > > > To pop up the sta

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On 9/11/11 11:28 PM, Christopher Morrow wrote: On Sun, Sep 11, 2011 at 11:06 PM, Hughes, Scott GRE-MG wrote: Companies that wrap their services with generic domain names (paymybills.com and the like) have no one to blame but themselves when they are targeted by scammers and phishing schemes.

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Sun, Sep 11, 2011 at 11:06 PM, Hughes, Scott GRE-MG wrote: > Companies that wrap their services with generic domain names (paymybills.com > and the like) have no one to blame but themselves when they are targeted by > scammers and phishing schemes. Even EV certificates don't help when consume

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Sep 11, 2011, at 9:44 PM, "Christopher Morrow" wrote: > On Sun, Sep 11, 2011 at 10:23 PM, Jimmy Hess wrote: >> On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow >> wrote: >> >>> what's the real benefit of an EV cert? (to the service owner, not the >>> CA, the CA benefit is pretty clearly

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Sun, Sep 11, 2011 at 10:23 PM, Jimmy Hess wrote: > On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow > wrote: > >> what's the real benefit of an EV cert? (to the service owner, not the >> CA, the CA benefit is pretty clearly $$) > > The benefit is to the end user. > They see a green address

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow wrote: > what's the real benefit of an EV cert? (to the service owner, not the > CA, the CA benefit is pretty clearly $$) The benefit is to the end user. They see a green address bar with the company's name displayed. Yeah, company's name dis

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Sun, Sep 11, 2011 at 2:44 PM, Mike Jones wrote: > EV certificates have a > different status and probably still need the CA model what's the real benefit of an EV cert? (to the service owner, not the CA, the CA benefit is pretty clearly $$) -chris (I've never seen the value in EV or even DV ce

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Sun, Sep 11, 2011 at 3:37 PM, wrote: > On Sun, 11 Sep 2011 13:00:09 MDT, Keith Medcalf said: >> The current system provides no more authentication or confidentiality >> than if everyone simply used self-signed certificates. > > Not strictly true.  The current system at least gives you "you hav

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

somewhat rhetorically... On Sun, Sep 11, 2011 at 2:30 AM, Damian Menscher wrote: > Because of that lost trust, any cross-signed cert would likely be revoked by > the browsers.  It would also make the browser vendors question whether the > signing CA is worthy of their trust. given a list of ca'

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

In message <146102.1315769...@turing-police.cc.vt.edu>, valdis.kletni...@vt.edu writes: > (*) Has anybody actually enabled "only accept DNSSEC-signed A records" > on an end user system and left it enabled for more than a day before > giving up in disgust? ;) No. But I run with "reject anything

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Sun, Sep 11, 2011 at 4:02 PM, Jimmy Hess wrote: > On Sun, Sep 11, 2011 at 1:30 AM, Damian Menscher > wrote: > > On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess wrote: > > Because of that lost trust, any cross-signed cert would likely be revoked > by > > the browsers. It would also make the brow

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Sun, Sep 11, 2011 at 1:30 AM, Damian Menscher wrote: > On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess wrote: > Because of that lost trust, any cross-signed cert would likely be revoked by > the browsers.  It would also make the browser vendors question whether the I am not engaging in speculatio

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Sun, 11 Sep 2011 15:20:51 PDT, "Aaron C. de Bruyn" said: > I'm pretty fond of the idea proposed by gpgAuth.One key to rule them > all (and one password) combined with the client verifying the > server.It's still in its infancy, but it works. Yes, but it needs to be something that either (a) Joe

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

https://bugzilla.mozilla.org/show_bug.cgi?id=647959 --- SNIP --- This is a request to add the CA root certificate for Honest Achmed's Used Cars and Certificates. The requested information as per the CA information checklist is as follows: 1. Name Honest Achmed's Used Cars and Certificates 2. W

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

I'm pretty fond of the idea proposed by gpgAuth.One key to rule them all (and one password) combined with the client verifying the server.It's still in its infancy, but it works. -A (Full disclosure: I work with the creator of gpgAuth in our day jobs) On Sun, Sep 11, 2011 at 11:47, Richard Barnes

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Sun, 11 Sep 2011 13:00:09 MDT, Keith Medcalf said: > The current system provides no more authentication or confidentiality > than if everyone simply used self-signed certificates. Not strictly true. The current system at least gives you "you have reached the hostname your browser tried to reac

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Sun, 11 Sep 2011 10:19:39 PDT, Joel jaeggli said: > To pop up the stack a bit it's the fact that an organization willing to > behave in that fashion was in my list of CA certs in the first place. > Yes they're blackballed now, better late than never I suppose. What does > that say about the pot

RE: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Damian Menscher wrote on 2011-09-11: > Because of that lost trust, any cross-signed cert would likely be > revoked by the browsers. It would also make the browser vendors > question whether the signing CA is worthy of their trust. And therein is the root of the problem: Trustworthiness is asses

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

There's an app^W^Wa Working Group for that. On Sun, Sep 11, 2011 at 2:44 PM, Mike Jones wrote: > On 11 September 2011 16:55, Bjørn Mork wrote: >> You can rewrite that: Trust is the CA business.  Trust has a price.  If >> the CA is not trusted, the price increases

Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On 11 September 2011 16:55, Bjørn Mork wrote: > You can rewrite that: Trust is the CA business.  Trust has a price.  If > the CA is not trusted, the price increases. > > Yes, they may end up out of business because of that price jump, but you > should not neglect the fact that trust is for sale he

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

2011/9/11, Joel jaeggli : > On 9/10/11 23:30 , Damian Menscher wrote: >> On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess wrote: >> >>> On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid >>> wrote: On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: I like this response; instant CA deat

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

> > Because of that lost trust, any cross-signed cert would likely be revoked by > > the browsers. It would also make the browser vendors question whether the > > signing CA is worthy of their trust. > > To pop up the stack a bit it's the fact that an organization willing to > behave in that fash

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

> To pop up the stack a bit it's the fact that an organization willing to > behave in that fashion was in my list of CA certs in the first place. > Yes they're blackballed now, better late than never I suppose. What does > that say about the potential for other CAs to behave in such a fashion? I'd

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On 9/10/11 23:30 , Damian Menscher wrote: > On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess wrote: > >> On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid wrote: >>> On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: >>> I like this response; instant CA death penalty seems to put the >>> incen

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Cameron Byrne writes: > Yep. The CA business is one of trust. If the CA is not trusted, they are out > of business. You can rewrite that: Trust is the CA business. Trust has a price. If the CA is not trusted, the price increases. Yes, they may end up out of business because of that price jump

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Sep 10, 2011 11:38 PM, "Damian Menscher" wrote: > > On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess wrote: > > > On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid wrote: > > > On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: > > > I like this response; instant CA death penalty seems to p

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Damian Menscher wrote: The problem here wasn't just that DigiNotar was compromised, but that they didn't have an audit trail and attempted a coverup which resulted in real harm to users. It will be difficult to re-gain the trust they lost. Because of that lost trust, any cross-signed cert would

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess wrote: > On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid wrote: > > On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: > > I like this response; instant CA death penalty seems to put the > > incentives about where they need to be. > > I wouldn

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Sat, Sep 10, 2011 at 3:47 AM, Heinrich Strauss wrote: > On 2011/09/10 05:06, Michael DeMan wrote: >> I though wildcards were limited to having a domain off a TLD - like >> '*.mydomain.tld'. The root CAs are have no technical limitation in regards to what kind of certificates they can issue. The

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On 2011/09/10 05:06, Michael DeMan wrote: Sorry for being ignorant here - I have not even been aware that it is possible to buy a '*.*.com' domain at all. I though wildcards were limited to having a domain off a TLD - like '*.mydomain.tld'. Given a private network and the need to monitor it i

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid wrote: > On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: > I like this response; instant CA death penalty seems to put the > incentives about where they need to be. I wouldn't necessarily count them dead just yet; although their legit c

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On 09/09/11 20:06 -0700, Michael DeMan wrote: Sorry for being ignorant here - I have not even been aware that it is possible to buy a '*.*.com' domain at all. I though wildcards were limited to having a domain off a TLD - like '*.mydomain.tld'. Is it true that the my browser on a windows, mac,

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Sorry for being ignorant here - I have not even been aware that it is possible to buy a '*.*.com' domain at all. I though wildcards were limited to having a domain off a TLD - like '*.mydomain.tld'. Is it true that the my browser on a windows, mac, or linux desktop may have listed as trusted a

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On 09/09/2011 11:48 AM, Marcus Reid wrote: On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: FYI!!! http://seattletimes.nwsource.com/html/microsoftpri0/2016132391_microsoft_dee ms_all_diginotar_certificates_untrust.html Google and Mozilla have also updated their browsers to block

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: > FYI!!! > > http://seattletimes.nwsource.com/html/microsoftpri0/2016132391_microsoft_dee > ms_all_diginotar_certificates_untrust.html > > Google and Mozilla have also updated their browsers to block all DigiNotar > certificates, whi

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Wednesday 07 Sep 2011 17:17:10 Network IP Dog wrote: > FYI!!! > > http://seattletimes.nwsource.com/html/microsoftpri0/2016132391_microsoft_dee > ms_all_diginotar_certificates_untrust.html > > Google and Mozilla have also updated their browsers to block all DigiNotar > certificates, while App

Microsoft deems all DigiNotar certificates untrustworthy, releases updates

FYI!!! http://seattletimes.nwsource.com/html/microsoftpri0/2016132391_microsoft_dee ms_all_diginotar_certificates_untrust.html Google and Mozilla have also updated their browsers to block all DigiNotar certificates, while Apple has been silent on the issue, a emblematic zombie response! Cheers.