Microsoft deems all DigiNotar certificates untrustworthy, releases

• Previous message (by thread): Microsoft deems all DigiNotar certificates untrustworthy, releases updates
• Next message (by thread): Microsoft deems all DigiNotar certificates untrustworthy, releases
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > Because of that lost trust, any cross-signed cert would likely be revoked by
> > the browsers.  It would also make the browser vendors question whether the
> > signing CA is worthy of their trust.
> 
> To pop up the stack a bit it's the fact that an organization willing to
> behave in that fashion was in my list of CA certs in the first place.
> Yes they're blackballed now, better late than never I suppose. What does
> that say about the potential for other CAs to behave in such a fashion?

The average corporation much prefers to avoid the bad publicity and will
downplay most bad things.  Your favorite CA probably included.

I think that it's hard to cope with SSL.  It doesn't do the right things
for the right reasons.  Many of us, for example, operate local root CA's
for signing of "internal" stuff; all our company gear trusts our local
root CA and lots of stuff has certs issued by it.  In an ideal world,
this would mean that our gear talking to our gear is always secure, but
with other root CA's able to offer certs for our CN's, that isn't really
true.  That's frustrating.

The reality is that - for the average user -  SSL doesn't work well 
unless about 99% of the CA's used by the general public are included 
as "trusted."  If a popular site like Blooble has a cert by DigiNotar
and the Firerox browser is constantly asking what to do, nothing really
good comes out of that ...  either people think Firerox blows, or they
learn to click on the "ignore this" (or worse the "always trust this")
button.  In about 0.0% of the cases do they actually understand the
underlying trust issues.  So there's a great amount of pressure to
just make it magically work.

However, as the number of CA's accepted in most browsers increases, 
the security of the system as a whole decreases dramatically.  Yet
the market for $1000/year SSL certs is rather low, and the guys that
are charging bargain rates for low quality certs are perhaps doing
one good thing (enabling encryption) while simultaneously doing another
bad thing (destroying any "quality" in the system).  SSL is going to
have these problems as long as we maintain the current model.

In the long run, I expect all the CA's to behave something like this -
especially the ones that have more to lose if they were to become
suddenly "untrustworthy." 

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

• Previous message (by thread): Microsoft deems all DigiNotar certificates untrustworthy, releases updates
• Next message (by thread): Microsoft deems all DigiNotar certificates untrustworthy, releases
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]