Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Christopher Morrow morrowc.lists at gmail.com
Sun Sep 11 20:57:59 CDT 2011


somewhat rhetorically...

On Sun, Sep 11, 2011 at 2:30 AM, Damian Menscher <damian at google.com> wrote:

> Because of that lost trust, any cross-signed cert would likely be revoked by
> the browsers.  It would also make the browser vendors question whether the
> signing CA is worthy of their trust.

given a list of ca's and certs to invalidate ... how large a list
would be practical in a browser? (baked in I mean)
  (not very, relative to the size of the domain system today)
Is this scalable?
  (no)
Is this the only answer we have left?
  (no)

-chris
(I'm not sure what better answers there are to the situation we are in
today, I do like the work in DANE-WG though... it'll be a while before
it's practical to use though, I fear)



More information about the NANOG mailing list