Microsoft deems all DigiNotar certificates untrustworthy, releases updates
Michael Painter
tvhawaii at shaka.com
Sun Sep 11 07:33:17 UTC 2011
Damian Menscher wrote:
> The problem here wasn't just that DigiNotar was compromised, but that they
> didn't have an audit trail and attempted a coverup which resulted in real
> harm to users. It will be difficult to re-gain the trust they lost.
>
> Because of that lost trust, any cross-signed cert would likely be revoked by
> the browsers. It would also make the browser vendors question whether the
> signing CA is worthy of their trust.
>
> Damian
I'd be interested in hearing what you have to say about the hacker's claim at:
http://pastebin.com/85WV10EL
"d) I'm able to issue windows update, Microsoft's statement about Windows Update and that I can't issue such update is
totally false! I already reversed ENTIRE windows update protocol, how it reads XMLs via SSL which includes URL, KB no,
SHA-1 hash of file for each update, how it verifies that downloaded file is signed using WinVerifyTrust API, and... Simply
I can issue updates via windows update!"
Thanks,
--Michael
More information about the NANOG
mailing list