Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Mon, Sep 12, 2011 at 6:23 AM, Gregory Edigarov wrote: > I.e. instead of a set of trusted CAs there will be one distributed net > of servers, that act as a cert storage? > I do not see how that could help... More lines of defense on top of the CA model. Consider instead of abandoning the CA mode

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Mon, Sep 12, 2011 at 11:00:47PM +0100, Tony Finch wrote: > Note that a big weak point in the DNS is the interface between the > registrars and the registry. If you have a domain you have to trust the > registry to impose suitable restrictions on its registrars to prevent a > dodgy registrar from

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

> > > > with dane, i trust whoever runs dns for citibank to identify the cert > > > > for citibank. this seems much more reasonable than other approaches, > > > > though i admit to not having dived deeply into them all. > > > If the root DNS keys were compromised in an all DNS rooted world... > >

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Mike Jones wrote: > > DNSSEC deployment is advanced enough now to do that automatically at the > client. Sadly not quite. DNSSEC does have the potential to provide an alternative public key infrastructure, and I'm keen to see that happen. But although it works well between authoritative servers a

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Mon, 12 Sep 2011, Gregory Edigarov wrote: > On Mon, 12 Sep 2011 12:12:08 +0200 > Martin Millnert wrote: > > > Mike, > > > > On Sun, Sep 11, 2011 at 8:44 PM, Mike Jones wrote: > > > It will take a while to get updated browsers rolled out to enough > > > users for it do be practical to start

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On 9/12/11 4:32 PM, Jason Duerstock wrote: > Except that this just shifts the burden of trust on to DNSSEC, which > also necessitates a central authority of 'trust'. Unless there's an > explicitly more secure way of storing DNSSEC private keys, this just > moves the bullseye from CAs to DNSSEC s

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On 12 September 2011 18:39, Robert Bonomi wrote: > Seriously, about the only way I see to ameliorate this kind of problem is > for people to use self-signed certificates that are then authenticated > by _multiple_ 'trust anchors'.  If the end-user world raises warnings > for a certificate 'authent

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Mon, Sep 12, 2011 at 1:39 PM, Robert Bonomi wrote: > >> Date: Mon, 12 Sep 2011 11:22:11 -0400 >> Subject: Re: Microsoft deems all DigiNotar certificates untrustworthy, >>  releases updates >> From: Christopher Morrow >> >> I think I need a method that th

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Mon, Sep 12, 2011 at 7:09 AM, Martin Millnert wrote: > > Something similar, including use of purchased (not only limited to > stolen certs), is ongoing already, all of the time. (I had a fellow > IRC-chat-friend report from a certain very western-allied middle > eastern country that there's I

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

> Date: Mon, 12 Sep 2011 11:22:11 -0400 > Subject: Re: Microsoft deems all DigiNotar certificates untrustworthy, > releases updates > From: Christopher Morrow > > I think I need a method that the service operator can use to signal to my > user-client outside the certif

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On 13/09/11 01:12, Randy Bush wrote: >>> as eliot pointed out, to defeat dane as currently written, you would >>> have to compromise dnssec at the same time as you compromised the CA at >>> the same time as you ran the mitm. i.e. it _adds_ dnssec assurance to >>> CA trust. >> Yes, I saw that. It a

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Martin Millnert wrote: On Mon, Sep 12, 2011 at 5:09 PM, Michael Thomas wrote: And how long would it be before browsers allowed self-signed-but-ok'ed-using-dnssec-protected-cert-hashes? As previously mentioned, Chrome >= v14 already does. The perils of coming in late in a thread :) Mike

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Mon, Sep 12, 2011 at 4:39 AM, wrote: > On Sun, 11 Sep 2011 22:01:47 EDT, Christopher Morrow said: >> If I have a thawte cert for valdis.com on host A and one from comodo >> on host B... which is the right one? > > You wouldn't have 2 certs for that... I'd have *one* cert for that. And if > wh

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Mon, Sep 12, 2011 at 5:09 PM, Michael Thomas wrote: > And how long would it be before browsers allowed > self-signed-but-ok'ed-using-dnssec-protected-cert-hashes? As previously mentioned, Chrome >= v14 already does. Regards, Martin

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

>> as eliot pointed out, to defeat dane as currently written, you would >> have to compromise dnssec at the same time as you compromised the CA at >> the same time as you ran the mitm. i.e. it _adds_ dnssec assurance to >> CA trust. > Yes, I saw that. It also drives up complexity too and makes you

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Randy Bush wrote: with dane, i trust whoever runs dns for citibank to identify the cert for citibank. this seems much more reasonable than other approaches, though i admit to not having dived deeply into them all. If the root DNS keys were compromised in an all DNS rooted world... unhappiness w

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Mon, 12 Sep 2011 07:53:57 -0700 Michael Thomas wrote: > Randy Bush wrote: > >> But Gregory is right, you cannot really trust anybody completely. > >> Even the larger and more respectable commercial organisations will > >> be unable to resist when they ask > >> for dodgy certs so they can inte

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

>> with dane, i trust whoever runs dns for citibank to identify the cert >> for citibank. this seems much more reasonable than other approaches, >> though i admit to not having dived deeply into them all. > If the root DNS keys were compromised in an all DNS rooted world... > unhappiness would ens

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Randy Bush wrote: But Gregory is right, you cannot really trust anybody completely. Even the larger and more respectable commercial organisations will be unable to resist when they ask for dodgy certs so they can intercept something.. No, as soon as you have somebody who is not yourself in cont

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

> But Gregory is right, you cannot really trust anybody completely. Even > the larger and more respectable commercial organisations will be > unable to resist when they ask for > dodgy certs so they can intercept something.. > > No, as soon as you have somebody who is not yourself in control > wi

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Except that this just shifts the burden of trust on to DNSSEC, which also necessitates a central authority of 'trust'. Unless there's an explicitly more secure way of storing DNSSEC private keys, this just moves the bullseye from CAs to DNSSEC signers. Jason On Mon, Sep 12, 2011 at 5:30 AM, Elio

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Sep 11, 2011, at 11:06 PM, Hughes, Scott GRE-MG wrote: > Companies that wrap their services with generic domain names (paymybills.com > and the like) have no one to blame but themselves when they are targeted by > scammers and phishing schemes. Even EV certificates don't help when consumers

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Steinar, On Sun, Sep 11, 2011 at 8:12 PM, wrote: >> To pop up the stack a bit it's the fact that an organization willing to >> behave in that fashion was in my list of CA certs in the first place. >> Yes they're blackballed now, better late than never I suppose. What does >> that say about the p

RE: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

> -Original Message- > From: Gregory Edigarov [mailto:g...@bestnet.kharkov.ua] > I.e. instead of a set of trusted CAs there will be one distributed net > of servers, that act as a cert storage? > I do not see how that could help... > Well, I do not even see how can one trust any certifica

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Gregory, On Mon, Sep 12, 2011 at 1:23 PM, Gregory Edigarov wrote: > On Mon, 12 Sep 2011 12:12:08 +0200 > Martin Millnert wrote: > >> Mike, >> >> On Sun, Sep 11, 2011 at 8:44 PM, Mike Jones wrote: >> > It will take a while to get updated browsers rolled out to enough >> > users for it do be prac

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Mon, 12 Sep 2011 12:12:08 +0200 Martin Millnert wrote: > Mike, > > On Sun, Sep 11, 2011 at 8:44 PM, Mike Jones wrote: > > It will take a while to get updated browsers rolled out to enough > > users for it do be practical to start using DNS based self-signed > > certificated instead of CA-Sig

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Mike, On Sun, Sep 11, 2011 at 8:44 PM, Mike Jones wrote: > It will take a while to get updated browsers rolled out to enough > users for it do be practical to start using DNS based self-signed > certificated instead of CA-Signed certificates, so why don't any > browsers have support yet? are any

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Hank and everyone, This is a very interesting problem. As it happens, some folks in the IETF have anticipated this one. For those who are interested, Paul Hoffman and Jakob Schlyter have been working within the DANE working group at the IETF to provide for a means to alleviate some of the respon

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Sun, 11 Sep 2011 22:01:47 EDT, Christopher Morrow said: > If I have a thawte cert for valdis.com on host A and one from comodo > on host B... which is the right one? You wouldn't have 2 certs for that... I'd have *one* cert for that. And if when you got to the IP address you were trying to reac

RE: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

At 13:00 11/09/2011 -0600, Keith Medcalf wrote: Damian Menscher wrote on 2011-09-11: > Because of that lost trust, any cross-signed cert would likely be > revoked by the browsers. It would also make the browser vendors > question whether the signing CA is worthy of their trust. And therein is

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On 9/11/11 11:28 PM, Christopher Morrow wrote: On Sun, Sep 11, 2011 at 11:06 PM, Hughes, Scott GRE-MG wrote: Companies that wrap their services with generic domain names (paymybills.com and the like) have no one to blame but themselves when they are targeted by scammers and phishing schemes.

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Sun, Sep 11, 2011 at 11:06 PM, Hughes, Scott GRE-MG wrote: > Companies that wrap their services with generic domain names (paymybills.com > and the like) have no one to blame but themselves when they are targeted by > scammers and phishing schemes. Even EV certificates don't help when consume

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Sep 11, 2011, at 9:44 PM, "Christopher Morrow" wrote: > On Sun, Sep 11, 2011 at 10:23 PM, Jimmy Hess wrote: >> On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow >> wrote: >> >>> what's the real benefit of an EV cert? (to the service owner, not the >>> CA, the CA benefit is pretty clearly

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Sun, Sep 11, 2011 at 10:23 PM, Jimmy Hess wrote: > On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow > wrote: > >> what's the real benefit of an EV cert? (to the service owner, not the >> CA, the CA benefit is pretty clearly $$) > > The benefit is to the end user. > They see a green address

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow wrote: > what's the real benefit of an EV cert? (to the service owner, not the > CA, the CA benefit is pretty clearly $$) The benefit is to the end user. They see a green address bar with the company's name displayed. Yeah, company's name dis

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Sun, Sep 11, 2011 at 2:44 PM, Mike Jones wrote: > EV certificates have a > different status and probably still need the CA model what's the real benefit of an EV cert? (to the service owner, not the CA, the CA benefit is pretty clearly $$) -chris (I've never seen the value in EV or even DV ce

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Sun, Sep 11, 2011 at 3:37 PM, wrote: > On Sun, 11 Sep 2011 13:00:09 MDT, Keith Medcalf said: >> The current system provides no more authentication or confidentiality >> than if everyone simply used self-signed certificates. > > Not strictly true.  The current system at least gives you "you hav

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

somewhat rhetorically... On Sun, Sep 11, 2011 at 2:30 AM, Damian Menscher wrote: > Because of that lost trust, any cross-signed cert would likely be revoked by > the browsers.  It would also make the browser vendors question whether the > signing CA is worthy of their trust. given a list of ca'

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

In message <146102.1315769...@turing-police.cc.vt.edu>, valdis.kletni...@vt.edu writes: > (*) Has anybody actually enabled "only accept DNSSEC-signed A records" > on an end user system and left it enabled for more than a day before > giving up in disgust? ;) No. But I run with "reject anything

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Sun, Sep 11, 2011 at 4:02 PM, Jimmy Hess wrote: > On Sun, Sep 11, 2011 at 1:30 AM, Damian Menscher > wrote: > > On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess wrote: > > Because of that lost trust, any cross-signed cert would likely be revoked > by > > the browsers. It would also make the brow

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Sun, Sep 11, 2011 at 1:30 AM, Damian Menscher wrote: > On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess wrote: > Because of that lost trust, any cross-signed cert would likely be revoked by > the browsers.  It would also make the browser vendors question whether the I am not engaging in speculatio

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Sun, 11 Sep 2011 15:20:51 PDT, "Aaron C. de Bruyn" said: > I'm pretty fond of the idea proposed by gpgAuth.One key to rule them > all (and one password) combined with the client verifying the > server.It's still in its infancy, but it works. Yes, but it needs to be something that either (a) Joe

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

https://bugzilla.mozilla.org/show_bug.cgi?id=647959 --- SNIP --- This is a request to add the CA root certificate for Honest Achmed's Used Cars and Certificates. The requested information as per the CA information checklist is as follows: 1. Name Honest Achmed's Used Cars and Certificates 2. W

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

I'm pretty fond of the idea proposed by gpgAuth.One key to rule them all (and one password) combined with the client verifying the server.It's still in its infancy, but it works. -A (Full disclosure: I work with the creator of gpgAuth in our day jobs) On Sun, Sep 11, 2011 at 11:47, Richard Barnes

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Sun, 11 Sep 2011 13:00:09 MDT, Keith Medcalf said: > The current system provides no more authentication or confidentiality > than if everyone simply used self-signed certificates. Not strictly true. The current system at least gives you "you have reached the hostname your browser tried to reac

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Sun, 11 Sep 2011 10:19:39 PDT, Joel jaeggli said: > To pop up the stack a bit it's the fact that an organization willing to > behave in that fashion was in my list of CA certs in the first place. > Yes they're blackballed now, better late than never I suppose. What does > that say about the pot

RE: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Damian Menscher wrote on 2011-09-11: > Because of that lost trust, any cross-signed cert would likely be > revoked by the browsers. It would also make the browser vendors > question whether the signing CA is worthy of their trust. And therein is the root of the problem: Trustworthiness is asses

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

There's an app^W^Wa Working Group for that. On Sun, Sep 11, 2011 at 2:44 PM, Mike Jones wrote: > On 11 September 2011 16:55, Bjørn Mork wrote: >> You can rewrite that: Trust is the CA business.  Trust has a price.  If >> the CA is not trusted, the price increases

Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On 11 September 2011 16:55, Bjørn Mork wrote: > You can rewrite that: Trust is the CA business.  Trust has a price.  If > the CA is not trusted, the price increases. > > Yes, they may end up out of business because of that price jump, but you > should not neglect the fact that trust is for sale he

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

2011/9/11, Joel jaeggli : > On 9/10/11 23:30 , Damian Menscher wrote: >> On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess wrote: >> >>> On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid >>> wrote: On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: I like this response; instant CA deat

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

> To pop up the stack a bit it's the fact that an organization willing to > behave in that fashion was in my list of CA certs in the first place. > Yes they're blackballed now, better late than never I suppose. What does > that say about the potential for other CAs to behave in such a fashion? I'd

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On 9/10/11 23:30 , Damian Menscher wrote: > On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess wrote: > >> On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid wrote: >>> On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: >>> I like this response; instant CA death penalty seems to put the >>> incen

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Cameron Byrne writes: > Yep. The CA business is one of trust. If the CA is not trusted, they are out > of business. You can rewrite that: Trust is the CA business. Trust has a price. If the CA is not trusted, the price increases. Yes, they may end up out of business because of that price jump

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Sep 10, 2011 11:38 PM, "Damian Menscher" wrote: > > On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess wrote: > > > On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid wrote: > > > On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: > > > I like this response; instant CA death penalty seems to p

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Damian Menscher wrote: The problem here wasn't just that DigiNotar was compromised, but that they didn't have an audit trail and attempted a coverup which resulted in real harm to users. It will be difficult to re-gain the trust they lost. Because of that lost trust, any cross-signed cert would

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess wrote: > On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid wrote: > > On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: > > I like this response; instant CA death penalty seems to put the > > incentives about where they need to be. > > I wouldn

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Sat, Sep 10, 2011 at 3:47 AM, Heinrich Strauss wrote: > On 2011/09/10 05:06, Michael DeMan wrote: >> I though wildcards were limited to having a domain off a TLD - like >> '*.mydomain.tld'. The root CAs are have no technical limitation in regards to what kind of certificates they can issue. The

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On 2011/09/10 05:06, Michael DeMan wrote: Sorry for being ignorant here - I have not even been aware that it is possible to buy a '*.*.com' domain at all. I though wildcards were limited to having a domain off a TLD - like '*.mydomain.tld'. Given a private network and the need to monitor it i

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid wrote: > On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: > I like this response; instant CA death penalty seems to put the > incentives about where they need to be. I wouldn't necessarily count them dead just yet; although their legit c

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On 09/09/11 20:06 -0700, Michael DeMan wrote: Sorry for being ignorant here - I have not even been aware that it is possible to buy a '*.*.com' domain at all. I though wildcards were limited to having a domain off a TLD - like '*.mydomain.tld'. Is it true that the my browser on a windows, mac,

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Sorry for being ignorant here - I have not even been aware that it is possible to buy a '*.*.com' domain at all. I though wildcards were limited to having a domain off a TLD - like '*.mydomain.tld'. Is it true that the my browser on a windows, mac, or linux desktop may have listed as trusted a

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On 09/09/2011 11:48 AM, Marcus Reid wrote: On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: FYI!!! http://seattletimes.nwsource.com/html/microsoftpri0/2016132391_microsoft_dee ms_all_diginotar_certificates_untrust.html Google and Mozilla have also updated their browsers to block

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: > FYI!!! > > http://seattletimes.nwsource.com/html/microsoftpri0/2016132391_microsoft_dee > ms_all_diginotar_certificates_untrust.html > > Google and Mozilla have also updated their browsers to block all DigiNotar > certificates, whi

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Wednesday 07 Sep 2011 17:17:10 Network IP Dog wrote: > FYI!!! > > http://seattletimes.nwsource.com/html/microsoftpri0/2016132391_microsoft_dee > ms_all_diginotar_certificates_untrust.html > > Google and Mozilla have also updated their browsers to block all DigiNotar > certificates, while App

Microsoft deems all DigiNotar certificates untrustworthy, releases updates

FYI!!! http://seattletimes.nwsource.com/html/microsoftpri0/2016132391_microsoft_dee ms_all_diginotar_certificates_untrust.html Google and Mozilla have also updated their browsers to block all DigiNotar certificates, while Apple has been silent on the issue, a emblematic zombie response! Cheers.