Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Christopher Morrow morrowc.lists at gmail.com
Mon Sep 12 10:22:11 CDT 2011


On Mon, Sep 12, 2011 at 4:39 AM,  <Valdis.Kletnieks at vt.edu> wrote:
> On Sun, 11 Sep 2011 22:01:47 EDT, Christopher Morrow said:
>> If I have a thawte cert for valdis.com on host A and one from comodo
>> on host B... which is the right one?
>
> You wouldn't have 2 certs for that... I'd have *one* cert for that. And if when
> you got to the IP address you were trying to reach, the cert didn't validate as
> matching the hostname, you know something fishy is up.
>
> And if you *do* have two certs for it, I'd like to talk to the bozos at
> Thawte and Comodo who obviously didn't check the paperwork. ;)

this has already happened with mozilla.com, google.com, microsoft.com
.... my point was that as a user, and as a service operator, what in
today's CA world helps me know that the service operator's certificate
is what my user-client sees? some 'trust' in the fact that
thawte/comodo/verisign/cnnic didn't issue a cert for the
service-operator's service incorrectly?

I think I need a method that the service operator can use to signal to
my user-client outside the certificate itself that the certificate
#1234 is the 'right' one.



More information about the NANOG mailing list