On Wednesday 09 May 2012 15:08:46 Mark Gollahon wrote: > > As of a few minutes ago, SSL/TLS support in iPXE should be working for > > all valid HTTPS addresses. You can now use an unmodified web server > > with a certificate issued by any public CA (Verisign, Equifax, etc.). > > Any certificate trusted by Firefox should now be trusted by iPXE. > > I admit that I am a noob on this, but how will iPXE handle another > DigiNotar? Will fresh iPXE source have to be compiled and > re-deployed?
No; a compromised CA such as DigiNotar would not require a new iPXE binary. Only one certificate is compiled in to iPXE, which is the "iPXE root CA" certificate. Only a compromise of _this_ certificate (or whichever alternative root certificate you build in using TRUST=...) would require a rebuild and redeployment. If a public CA certificate is compromised (as with DigiNotar), then this CA certificate will be removed from the set of cross-signed certificates hosted on http://ca.ipxe.org/. Existing iPXE builds would no longer be able to obtain a valid cross-signing certificate, and so would no longer trust the compromised CA. (At present, there is a 90-day window during which an attacker could use a previously-issued cross-signing certificate to cause iPXE to trust the compromised CA. This window will be reduced to a few hours once OCSP has been implemented.) Michael _______________________________________________ ipxe-devel mailing list [email protected] https://lists.ipxe.org/mailman/listinfo/ipxe-devel
