Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Michael Painter tvhawaii at shaka.com
Sun Sep 11 07:33:17 UTC 2011


Damian Menscher wrote:
> The problem here wasn't just that DigiNotar was compromised, but that they
> didn't have an audit trail and attempted a coverup which resulted in real
> harm to users.  It will be difficult to re-gain the trust they lost.
>
> Because of that lost trust, any cross-signed cert would likely be revoked by
> the browsers.  It would also make the browser vendors question whether the
> signing CA is worthy of their trust.
>
> Damian

I'd be interested in hearing what you have to say about the hacker's claim at:
http://pastebin.com/85WV10EL

"d) I'm able to issue windows update, Microsoft's statement about Windows Update and that I can't issue such update is 
totally false! I already reversed ENTIRE windows update protocol, how it reads XMLs via SSL which includes URL, KB no, 
SHA-1 hash of file for each update, how it verifies that downloaded file is signed using WinVerifyTrust API, and... Simply 
I can issue updates via windows update!"

Thanks,

--Michael





More information about the NANOG mailing list