On Tue, Sep 13, 2011 at 11:55 PM, Ted Cooper
ml-nanog0903...@elcsplace.com wrote:
As claimed by the DigiNotar hacker - He compromised their servers but
Eddy was manually approving certs at the time and so no certs were signed.
There was information about it on the site, but it seems to be
The problem that I see with browser response to self-signed (or org generated)
certs is
not the warning(s) but the assertion that the cert is invalid. Not issued by
one of the
players in the Protection Racket does not make the cert invalid. It may be
untrustable,
unreliable, from an unknown
And to end this thread as this effectively ends Diginotar troubles for
the Interwebz:
Dutch official statement:
http://www.opta.nl/nl/actueel/alle-publicaties/publicatie/?id=3469
English Summary OPTA revokes Diginotar License as TTP:
On Wed, 2011-09-14 at 19:16 +0200, Jeroen Massar wrote:
And to end this thread as this effectively ends Diginotar troubles for
the Interwebz:
Dutch official statement:
http://www.opta.nl/nl/actueel/alle-publicaties/publicatie/?id=3469
Bedankt. Vertaling (my own translation, niet slecht
*a random php programmer shows*
He, I just want to self-sign my CERT's and remove the ugly warning that
browsers shows. I don't want to pay 1000$ a year, or 1$ a year for that. I
just don't want to use cleartext for internet data transfer. HTTP is like
telnet, and HTTPS is like ssh. But with ssh
Once upon a time, Tei oscar.vi...@gmail.com said:
He, I just want to self-sign my CERT's and remove the ugly warning that
browsers shows.
SSL without some verification of the far end is useless, as a
man-in-the-middle attack can create self-signed certs just as easily.
--
Chris Adams
Really? You can just connect with SSH?
root@somebox:~# ssh 1.2.3.4
The authenticity of host '1.2.3.4 (1.2.3.4)' can't be established.
RSA key fingerprint is 03:26:2c:b2:cd:fd:05:fc:87:70:4b:06:58:40:e7:c3.
Are you sure you want to continue connecting (yes/no)?
That's no different that having
On 9/13/2011 10:29 AM, Tei wrote:
*a random php programmer shows*
He, I just want to self-sign my CERT's and remove the ugly warning that
browsers shows. I don't want to pay 1000$ a year, or 1$ a year for that. I
just don't want to use cleartext for internet data transfer. HTTP is like
telnet,
On Tue, Sep 13, 2011 at 09:45:39AM -0500, Chris Adams wrote:
Once upon a time, Tei oscar.vi...@gmail.com said:
He, I just want to self-sign my CERT's and remove the ugly warning that
browsers shows.
SSL without some verification of the far end is useless, as a
man-in-the-middle attack can
On Tue, 13 Sep 2011 16:29:30 +0200, Tei said:
He, I just want to self-sign my CERT's and remove the ugly warning that
browsers shows. I don't want to pay 1000$ a year, or 1$ a year for that. I
The warning is there for a *reason* - namely that if you have a self-signed
cert, a first time visitor
Once upon a time, Brett Frankenberger rbf+na...@panix.com said:
On Tue, Sep 13, 2011 at 09:45:39AM -0500, Chris Adams wrote:
Once upon a time, Tei oscar.vi...@gmail.com said:
He, I just want to self-sign my CERT's and remove the ugly warning that
browsers shows.
SSL without some
At 22-07-28164 20:59, Tei wrote:
*a random php programmer shows*
He, I just want to self-sign my CERT's and remove the ugly warning that
browsers shows. I don't want to pay 1000$ a year, or 1$ a year for that. I
just don't want to use cleartext for internet data transfer. HTTP is like
telnet,
Once upon a time, valdis.kletni...@vt.edu valdis.kletni...@vt.edu said:
If you use SSH to connect, and either ignore the host key has changed or
authenticity can't be established, continue connecting? messages, you get
what you deserve - those are the *exact* same issues that your browser warns
On 2011-09-13 20:26, Christopher Morrow wrote:
On Tue, Sep 13, 2011 at 11:22 AM, Michiel Klavermich...@klaver.it wrote:
No need for (financial) pain, there are free of charge ssl certificates
available, see for example:
http://www.startssl.com/?app=1
eddy stopped issuing
Huh? I'm a bit
On Tue, Sep 13, 2011 at 11:33 PM, Jima na...@jima.tk wrote:
On 2011-09-13 20:26, Christopher Morrow wrote:
On Tue, Sep 13, 2011 at 11:22 AM, Michiel Klavermich...@klaver.it
wrote:
No need for (financial) pain, there are free of charge ssl certificates
available, see for example:
On Tue, Sep 13, 2011 at 11:44 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:
On Tue, Sep 13, 2011 at 11:33 PM, Jima na...@jima.tk wrote:
On 2011-09-13 20:26, Christopher Morrow wrote:
On Tue, Sep 13, 2011 at 11:22 AM, Michiel Klavermich...@klaver.it
wrote:
No need for (financial)
On 14/09/11 13:44, Christopher Morrow wrote:
On Tue, Sep 13, 2011 at 11:33 PM, Jima na...@jima.tk wrote:
Huh? I'm a bit lost here, since I had two StartSSL certs issued yesterday
afternoon.
orly? wierd, they made a press release ~last-june (I think?) stating
they were stopping issuance
On Mon, 12 Sep 2011 04:39:52 -, Marcus Reid said:
You don't have to have the big fat Mozilla root cert bundle on your
machines. Some OSes ship with an empty /etc/ssl, nobody tells you who
you trust.
And for those OS's (who are they, anyhow) that ship empty bundles,
how many CAs do you
On Sun, 11 Sep 2011 22:01:47 EDT, Christopher Morrow said:
If I have a thawte cert for valdis.com on host A and one from comodo
on host B... which is the right one?
You wouldn't have 2 certs for that... I'd have *one* cert for that. And if when
you got to the IP address you were trying to
Hank and everyone,
This is a very interesting problem. As it happens, some folks in the
IETF have anticipated this one. For those who are interested, Paul
Hoffman and Jakob Schlyter have been working within the DANE working
group at the IETF to provide for a means to alleviate some of the
Mike,
On Sun, Sep 11, 2011 at 8:44 PM, Mike Jones m...@mikejones.in wrote:
It will take a while to get updated browsers rolled out to enough
users for it do be practical to start using DNS based self-signed
certificated instead of CA-Signed certificates, so why don't any
browsers have support
-Original Message-
From: Gregory Edigarov [mailto:g...@bestnet.kharkov.ua]
I.e. instead of a set of trusted CAs there will be one distributed net
of servers, that act as a cert storage?
I do not see how that could help...
Well, I do not even see how can one trust any certificate
Steinar,
On Sun, Sep 11, 2011 at 8:12 PM, sth...@nethelp.no wrote:
To pop up the stack a bit it's the fact that an organization willing to
behave in that fashion was in my list of CA certs in the first place.
Yes they're blackballed now, better late than never I suppose. What does
that say
On Sep 11, 2011, at 11:06 PM, Hughes, Scott GRE-MG wrote:
Companies that wrap their services with generic domain names (paymybills.com
and the like) have no one to blame but themselves when they are targeted by
scammers and phishing schemes. Even EV certificates don't help when consumers
Except that this just shifts the burden of trust on to DNSSEC, which also
necessitates a central authority of 'trust'. Unless there's an explicitly
more secure way of storing DNSSEC private keys, this just moves the bullseye
from CAs to DNSSEC signers.
Jason
On Mon, Sep 12, 2011 at 5:30 AM,
But Gregory is right, you cannot really trust anybody completely. Even
the larger and more respectable commercial organisations will be
unable to resist insert intel organisation here when they ask for
dodgy certs so they can intercept something..
No, as soon as you have somebody who is not
Randy Bush wrote:
But Gregory is right, you cannot really trust anybody completely. Even
the larger and more respectable commercial organisations will be
unable to resist insert intel organisation here when they ask for
dodgy certs so they can intercept something..
No, as soon as you have
with dane, i trust whoever runs dns for citibank to identify the cert
for citibank. this seems much more reasonable than other approaches,
though i admit to not having dived deeply into them all.
If the root DNS keys were compromised in an all DNS rooted world...
unhappiness would ensue in
as eliot pointed out, to defeat dane as currently written, you would
have to compromise dnssec at the same time as you compromised the CA at
the same time as you ran the mitm. i.e. it _adds_ dnssec assurance to
CA trust.
Yes, I saw that. It also drives up complexity too and makes you wonder
On Mon, Sep 12, 2011 at 5:09 PM, Michael Thomas m...@mtcc.com wrote:
And how long would it be before browsers allowed
self-signed-but-ok'ed-using-dnssec-protected-cert-hashes?
As previously mentioned, Chrome = v14 already does.
Regards,
Martin
On Mon, Sep 12, 2011 at 4:39 AM, valdis.kletni...@vt.edu wrote:
On Sun, 11 Sep 2011 22:01:47 EDT, Christopher Morrow said:
If I have a thawte cert for valdis.com on host A and one from comodo
on host B... which is the right one?
You wouldn't have 2 certs for that... I'd have *one* cert for
Martin Millnert wrote:
On Mon, Sep 12, 2011 at 5:09 PM, Michael Thomas m...@mtcc.com wrote:
And how long would it be before browsers allowed
self-signed-but-ok'ed-using-dnssec-protected-cert-hashes?
As previously mentioned, Chrome = v14 already does.
The perils of coming in late in a
On 13/09/11 01:12, Randy Bush wrote:
as eliot pointed out, to defeat dane as currently written, you would
have to compromise dnssec at the same time as you compromised the CA at
the same time as you ran the mitm. i.e. it _adds_ dnssec assurance to
CA trust.
Yes, I saw that. It also drives up
On Mon, Sep 12, 2011 at 7:09 AM, Martin Millnert milln...@gmail.com wrote:
Something similar, including use of purchased (not only limited to
stolen certs), is ongoing already, all of the time. (I had a fellow
IRC-chat-friend report from a certain very western-allied middle
eastern country
On Mon, Sep 12, 2011 at 1:39 PM, Robert Bonomi bon...@mail.r-bonomi.com wrote:
Date: Mon, 12 Sep 2011 11:22:11 -0400
Subject: Re: Microsoft deems all DigiNotar certificates untrustworthy,
releases updates
From: Christopher Morrow morrowc.li...@gmail.com
I think I need a method
On 12 September 2011 18:39, Robert Bonomi bon...@mail.r-bonomi.com wrote:
Seriously, about the only way I see to ameliorate this kind of problem is
for people to use self-signed certificates that are then authenticated
by _multiple_ 'trust anchors'. If the end-user world raises warnings
for a
Subject: Re: Microsoft deems all DigiNotar certificates untrustworthy, releases
Date: Mon, Sep 12, 2011 at 11:46:04AM +0200 Quoting fredrik danerklint
(fredan-na...@fredan.se):
How about a TXT record with the CN string of the CA cert subject in it?
If it exists and there's a conflict
On Mon, 12 Sep 2011 22:31:59 +0200, Måns Nilsson said:
Since you are from Sweden, and in an IT job, you probably have personal
relations to someone who has personal relations to one of the swedes
or other nationalities that were present at the key ceremonies for the
root. Once you've
How about a TXT record with the CN string of the CA cert subject in
it? If it exists and there's a conflict, don't trust it. Seems
simple enough to implement without too much collateral damage.
Needs to be a DNSSEC-validated TXT record, or you've opened yourself up
to
Mike Jones m...@mikejones.in wrote:
DNSSEC deployment is advanced enough now to do that automatically at the
client.
Sadly not quite. DNSSEC does have the potential to provide an alternative
public key infrastructure, and I'm keen to see that happen. But although
it works well between
On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess mysi...@gmail.com wrote:
On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid mar...@blazingdot.com wrote:
On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote:
I like this response; instant CA death penalty seems to put the
incentives about
Damian Menscher wrote:
The problem here wasn't just that DigiNotar was compromised, but that they
didn't have an audit trail and attempted a coverup which resulted in real
harm to users. It will be difficult to re-gain the trust they lost.
Because of that lost trust, any cross-signed cert
Cameron Byrne cb.li...@gmail.com writes:
Yep. The CA business is one of trust. If the CA is not trusted, they are out
of business.
You can rewrite that: Trust is the CA business. Trust has a price. If
the CA is not trusted, the price increases.
Yes, they may end up out of business because
On 9/10/11 23:30 , Damian Menscher wrote:
On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess mysi...@gmail.com wrote:
On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid mar...@blazingdot.com wrote:
On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote:
I like this response; instant CA death
To pop up the stack a bit it's the fact that an organization willing to
behave in that fashion was in my list of CA certs in the first place.
Yes they're blackballed now, better late than never I suppose. What does
that say about the potential for other CAs to behave in such a fashion?
I'd
Because of that lost trust, any cross-signed cert would likely be revoked by
the browsers. It would also make the browser vendors question whether the
signing CA is worthy of their trust.
To pop up the stack a bit it's the fact that an organization willing to
behave in that fashion was
2011/9/11, Joel jaeggli joe...@bogus.com:
On 9/10/11 23:30 , Damian Menscher wrote:
On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess mysi...@gmail.com wrote:
On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid mar...@blazingdot.com
wrote:
On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote:
I
On 11 September 2011 16:55, Bjørn Mork bj...@mork.no wrote:
You can rewrite that: Trust is the CA business. Trust has a price. If
the CA is not trusted, the price increases.
Yes, they may end up out of business because of that price jump, but you
should not neglect the fact that trust is
There's an app^W^Wa Working Group for that.
http://tools.ietf.org/wg/dane/
On Sun, Sep 11, 2011 at 2:44 PM, Mike Jones m...@mikejones.in wrote:
On 11 September 2011 16:55, Bjørn Mork bj...@mork.no wrote:
You can rewrite that: Trust is the CA business. Trust has a price. If
the CA is not
Damian Menscher wrote on 2011-09-11:
Because of that lost trust, any cross-signed cert would likely be
revoked by the browsers. It would also make the browser vendors
question whether the signing CA is worthy of their trust.
And therein is the root of the problem: Trustworthiness is
On Sun, 11 Sep 2011 10:19:39 PDT, Joel jaeggli said:
To pop up the stack a bit it's the fact that an organization willing to
behave in that fashion was in my list of CA certs in the first place.
Yes they're blackballed now, better late than never I suppose. What does
that say about the
On Sun, 11 Sep 2011 13:00:09 MDT, Keith Medcalf said:
The current system provides no more authentication or confidentiality
than if everyone simply used self-signed certificates.
Not strictly true. The current system at least gives you you have reached
the hostname your browser tried to reach.
I'm pretty fond of the idea proposed by gpgAuth.One key to rule them
all (and one password) combined with the client verifying the
server.It's still in its infancy, but it works.
-A
(Full disclosure: I work with the creator of gpgAuth in our day jobs)
On Sun, Sep 11, 2011 at 11:47, Richard Barnes
https://bugzilla.mozilla.org/show_bug.cgi?id=647959
--- SNIP ---
This is a request to add the CA root certificate for Honest Achmed's
Used Cars and Certificates. The requested information as per the CA
information checklist is as follows:
1. Name
Honest Achmed's Used Cars and Certificates
2.
On Sun, 11 Sep 2011 15:20:51 PDT, Aaron C. de Bruyn said:
I'm pretty fond of the idea proposed by gpgAuth.One key to rule them
all (and one password) combined with the client verifying the
server.It's still in its infancy, but it works.
Yes, but it needs to be something that either (a) Joe
On Sun, Sep 11, 2011 at 1:30 AM, Damian Menscher dam...@google.com wrote:
On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess mysi...@gmail.com wrote:
Because of that lost trust, any cross-signed cert would likely be revoked by
the browsers. It would also make the browser vendors question whether the
On Sun, Sep 11, 2011 at 4:02 PM, Jimmy Hess mysi...@gmail.com wrote:
On Sun, Sep 11, 2011 at 1:30 AM, Damian Menscher dam...@google.com
wrote:
On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess mysi...@gmail.com wrote:
Because of that lost trust, any cross-signed cert would likely be revoked
by
In message 146102.1315769...@turing-police.cc.vt.edu, valdis.kletni...@vt.edu
writes:
(*) Has anybody actually enabled only accept DNSSEC-signed A records
on an end user system and left it enabled for more than a day before
giving up in disgust? ;)
No. But I run with reject anything that
somewhat rhetorically...
On Sun, Sep 11, 2011 at 2:30 AM, Damian Menscher dam...@google.com wrote:
Because of that lost trust, any cross-signed cert would likely be revoked by
the browsers. It would also make the browser vendors question whether the
signing CA is worthy of their trust.
On Sun, Sep 11, 2011 at 3:37 PM, valdis.kletni...@vt.edu wrote:
On Sun, 11 Sep 2011 13:00:09 MDT, Keith Medcalf said:
The current system provides no more authentication or confidentiality
than if everyone simply used self-signed certificates.
Not strictly true. The current system at least
On Sun, Sep 11, 2011 at 2:44 PM, Mike Jones m...@mikejones.in wrote:
EV certificates have a
different status and probably still need the CA model
what's the real benefit of an EV cert? (to the service owner, not the
CA, the CA benefit is pretty clearly $$)
-chris
(I've never seen the value in
On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:
what's the real benefit of an EV cert? (to the service owner, not the
CA, the CA benefit is pretty clearly $$)
The benefit is to the end user.
They see a green address bar with the company's name displayed.
On Sun, Sep 11, 2011 at 10:23 PM, Jimmy Hess mysi...@gmail.com wrote:
On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:
what's the real benefit of an EV cert? (to the service owner, not the
CA, the CA benefit is pretty clearly $$)
The benefit is to the end
On Sep 11, 2011, at 9:44 PM, Christopher Morrow morrowc.li...@gmail.com
wrote:
On Sun, Sep 11, 2011 at 10:23 PM, Jimmy Hess mysi...@gmail.com wrote:
On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:
what's the real benefit of an EV cert? (to the service
On Sun, Sep 11, 2011 at 11:06 PM, Hughes, Scott GRE-MG
shug...@grenergy.com wrote:
Companies that wrap their services with generic domain names (paymybills.com
and the like) have no one to blame but themselves when they are targeted by
scammers and phishing schemes. Even EV certificates don't
On 9/11/11 11:28 PM, Christopher Morrow wrote:
On Sun, Sep 11, 2011 at 11:06 PM, Hughes, Scott GRE-MG
shug...@grenergy.com wrote:
Companies that wrap their services with generic domain names (paymybills.com
and the like) have no one to blame but themselves when they are targeted by
scammers
On Sun, Sep 11, 2011 at 01:34:43PM -0500, Joe Greco wrote:
Because of that lost trust, any cross-signed cert would likely be revoked
by
the browsers. It would also make the browser vendors question whether the
signing CA is worthy of their trust.
To pop up the stack a bit it's
At 13:00 11/09/2011 -0600, Keith Medcalf wrote:
Damian Menscher wrote on 2011-09-11:
Because of that lost trust, any cross-signed cert would likely be
revoked by the browsers. It would also make the browser vendors
question whether the signing CA is worthy of their trust.
And therein is
On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid mar...@blazingdot.com wrote:
On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote:
I like this response; instant CA death penalty seems to put the
incentives about where they need to be.
I wouldn't necessarily count them dead just yet;
On Sat, Sep 10, 2011 at 3:47 AM, Heinrich Strauss
heinr...@hstrauss.co.za wrote:
On 2011/09/10 05:06, Michael DeMan wrote:
I though wildcards were limited to having a domain off a TLD - like
'*.mydomain.tld'.
The root CAs are have no technical limitation in regards to what kind
of certificates
On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote:
FYI!!!
http://seattletimes.nwsource.com/html/microsoftpri0/2016132391_microsoft_dee
ms_all_diginotar_certificates_untrust.html
Google and Mozilla have also updated their browsers to block all DigiNotar
certificates, while
Sorry for being ignorant here - I have not even been aware that it is possible
to buy a '*.*.com' domain at all.
I though wildcards were limited to having a domain off a TLD - like
'*.mydomain.tld'.
Is it true that the my browser on a windows, mac, or linux desktop may have
listed as trusted
On 09/09/11 20:06 -0700, Michael DeMan wrote:
Sorry for being ignorant here - I have not even been aware that it is
possible to buy a '*.*.com' domain at all.
I though wildcards were limited to having a domain off a TLD - like
'*.mydomain.tld'.
Is it true that the my browser on a windows,
FYI!!!
http://seattletimes.nwsource.com/html/microsoftpri0/2016132391_microsoft_dee
ms_all_diginotar_certificates_untrust.html
Google and Mozilla have also updated their browsers to block all DigiNotar
certificates, while Apple has been silent on the issue, a emblematic zombie
response!
Cheers.
On Wednesday 07 Sep 2011 17:17:10 Network IP Dog wrote:
FYI!!!
http://seattletimes.nwsource.com/html/microsoftpri0/2016132391_microsoft_dee
ms_all_diginotar_certificates_untrust.html
Google and Mozilla have also updated their browsers to block all
DigiNotar
certificates, while Apple has
75 matches
Mail list logo