Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Christopher Morrow morrowc.lists at
Mon Sep 12 01:57:59 UTC 2011

somewhat rhetorically...

On Sun, Sep 11, 2011 at 2:30 AM, Damian Menscher <damian at> wrote:

> Because of that lost trust, any cross-signed cert would likely be revoked by
> the browsers.  It would also make the browser vendors question whether the
> signing CA is worthy of their trust.

given a list of ca's and certs to invalidate ... how large a list
would be practical in a browser? (baked in I mean)
  (not very, relative to the size of the domain system today)
Is this scalable?
Is this the only answer we have left?

(I'm not sure what better answers there are to the situation we are in
today, I do like the work in DANE-WG though... it'll be a while before
it's practical to use though, I fear)

More information about the NANOG mailing list