2011/9/11, Joel jaeggli <joe...@bogus.com>: > On 9/10/11 23:30 , Damian Menscher wrote: >> On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess <mysi...@gmail.com> wrote: >> >>> On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid <mar...@blazingdot.com> >>> wrote: >>>> On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: >>>> I like this response; instant CA death penalty seems to put the >>>> incentives about where they need to be. >>> >>> I wouldn't necessarily count them dead just yet; although their legit >>> customers must be very unhappy waking up one day to find their >>> legitimate working SSL certs suddenly unusable.... >>> >>> So DigiNotar lost their "browser trusted" root CA status. That >>> doesn't necessarily mean they will >>> be unable to get other root CAs to cross-sign CA certificates they >>> will make in the future, for the right price. >>> >>> A cross-sign with CA:TRUE is just as good as being installed in >>> users' browser. >>> >> >> The problem here wasn't just that DigiNotar was compromised, but that they >> didn't have an audit trail and attempted a coverup which resulted in real >> harm to users. It will be difficult to re-gain the trust they lost. >> >> Because of that lost trust, any cross-signed cert would likely be revoked >> by >> the browsers. It would also make the browser vendors question whether the >> signing CA is worthy of their trust. > > To pop up the stack a bit it's the fact that an organization willing to > behave in that fashion was in my list of CA certs in the first place. > Yes they're blackballed now, better late than never I suppose. What does > that say about the potential for other CAs to behave in such a fashion? > >> Damian > > >
-- Enviado do meu celular Luciano P.Gomes http://lgomes00.blogspot.com/