Microsoft deems all DigiNotar certificates untrustworthy, releases

Valdis.Kletnieks at Valdis.Kletnieks at
Mon Sep 12 08:39:03 UTC 2011

On Mon, 12 Sep 2011 04:39:52 -0000, Marcus Reid said:

> You don't have to have the big fat Mozilla root cert bundle on your
> machines.  Some OSes "ship" with an empty /etc/ssl, nobody tells you who
> you trust.

And for those OS's (who are they, anyhow) that ship empty bundles,
how many CAs do you end up trusting anyhow?

> How about a TXT record with the CN string of the CA cert subject in it?
> If it exists and there's a conflict, don't trust it.  Seems simple
> enough to implement without too much collateral damage.

Needs to be a DNSSEC-validated TXT record, or you've opened yourself up
to attacks via DNS poisoning (either insert a malicious TXT that matches your
malicious certificate, or insert a malicious TXT that intentionally *doesn't* match
the vicitm's certificate)....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list