Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Jason Duerstock jason.duerstock at gallaudet.edu
Mon Sep 12 09:32:39 CDT 2011


Except that this just shifts the burden of trust on to DNSSEC, which also
necessitates a central authority of 'trust'.  Unless there's an explicitly
more secure way of storing DNSSEC private keys, this just moves the bullseye
from CAs to DNSSEC signers.

Jason

On Mon, Sep 12, 2011 at 5:30 AM, Eliot Lear <lear at cisco.com> wrote:

> Hank and everyone,
>
> This is a very interesting problem.  As it happens, some folks in the
> IETF have anticipated this one.  For those who are interested, Paul
> Hoffman and Jakob Schlyter have been working within the DANE working
> group at the IETF to provide for a means to alleviate some of the
> responsibility of the browser vendors as to who gets to decide what is a
> valid certificate, by allowing for that burden to be shifted to the
> subject through the use of secure DNS.  A list of hashes is published in
> the subject's domain indicating what are valid certificates.  And so if
> a CA went rogue, the subject domains would be able to indicate to the
> browser that something is afoot.  For more information, please see
> http://datatracker.ietf.org/wg/dane/.
>
> Eliot
>
> On 9/12/11 7:22 AM, Hank Nussbacher wrote:
> > At 13:00 11/09/2011 -0600, Keith Medcalf wrote:
> >> Damian Menscher wrote on 2011-09-11:
> >>
> >> > Because of that lost trust, any cross-signed cert would likely be
> >> > revoked by the browsers.  It would also make the browser vendors
> >> > question whether the signing CA is worthy of their trust.
> >>
> >> And therein is the root of the problem:  Trustworthiness is assessed
> >> by what you refer to as the "browser vendors".  Unfortunately, there
> >> is no Trustworthiness assessment of those vendors.
> >>
> >> The current system provides no more authentication or confidentiality
> >> than if everyone simply used self-signed certificates.  It is nothing
> >> more than theatre and provides no actual security benefit
> >> whatsoever.  Anyone believing otherwise is operating under a delusion.
> >
> > The problem is about lack of pen-testing and a philosphy of security.
> > In order to run a CA, one not only has to build the infrastructure but
> > also have constant external pen-testing and patch management in
> > place.  Whether it be Comodo or RSA or now Diginotar, unless an
> > overwhelming philosphy of "computer and network security" is
> > paradigmed into the corporate DNA, this will keep happening - and not
> > only to CAs but to the likes of Google, Cisco, Microsoft, etc. (read -
> > APT attacks).
> >
> > If 60% of your employees will plug in a USB drive they find in the
> > parking lot, then you have failed:
> >
> http://www.bloomberg.com/news/2011-06-27/human-errors-fuel-hacking-as-test-shows-nothing-prevents-idiocy.html
> >
> >
> > The problem for us as a community if to find a benchmark of which
> > company "does have a clue" vs those that don't.  Until then, it will
> > just be whack-a-mole/CA.
> >
> > -Hank
> >
> >
> >
> >
> >
> >
> >> --- Keith Medcalf
> >> ()  ascii ribbon campaign against html e-mail
> >> /\  www.asciiribbon.org
> >
> >
> >
>
>


More information about the NANOG mailing list