Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Valdis.Kletnieks at Valdis.Kletnieks at
Sun Sep 11 19:32:06 UTC 2011

On Sun, 11 Sep 2011 10:19:39 PDT, Joel jaeggli said:

> To pop up the stack a bit it's the fact that an organization willing to
> behave in that fashion was in my list of CA certs in the first place.
> Yes they're blackballed now, better late than never I suppose. What does
> that say about the potential for other CAs to behave in such a fashion?

I'm sure at least one of the other 250-odd certificates from 100-ish CA's
trusted by most browsers now are actually trustworthy. There is no evidence at
all that the average CA is any less trustworthy than the average DNS registrar.

However, this isn't as big a problem as one might think - the *only* thing that
an SSL sert gives you is "you reached the host your browser tried to reach". It
does *not* validate "the host you intended to reach", or "whether you should
trust this host with your data", or any of a long set of interesting security
issues.  And that one question - "did you reach the host your browser tried
to reach" doesn't really mean much unless you have DNS and routing security
in place as well.  After all, if the IP you get for is incorrect,
or the route has been hijacked, what the cert says is pretty meaningless.

Considering that we seem to muddle along just fine with a DNS that doesn't
really do DNSSEC yet(*), and a lot of black and grey hat registrars out there,
and no real BGP security either,  maybe it isn't the "sky is falling" scenario
that a lot of people want to make it.

Or maybe we should all be even more worried. ;)

(*) Has anybody actually enabled "only accept DNSSEC-signed A records"
on an end user system and left it enabled for more than a day before
giving up in disgust? ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list