Microsoft deems all DigiNotar certificates untrustworthy, releases

Lou Katz lou at
Wed Sep 14 17:02:48 UTC 2011

The problem that I see with browser response to self-signed (or org generated) certs is
not the warning(s) but the assertion that the cert is invalid. Not issued by one of the
players in the Protection Racket does not make the cert invalid. It may be untrustable,
unreliable, from an unknown and/or unverifiable source, but it IS a valid cert. Certs in
a revocation list or malformed certs are invalid. 

After all, the Diginotar certs were 'valid', until revoked. Apparently the (arbitrary)
inclusion or exclusion of a root cert by each browser creator or distributer is
equated with validity. By removing the Diginotar root cert, suddenly ALL Diginotar
certs are now reported to end users as Invalid? By refusing to include a CACert root
certificate, no CACert certificate is 'valid'? I think not.


Hand typed on my Remington portable

More information about the NANOG mailing list