On Sep 14, 2011, at 2:06 AM, SM wrote:
Hi Yoav,
At 11:41 13-09-2011, Yoav Nir wrote:
Six months ago we would not have thought that Comodo or DigiNotar
were easy to hack. In the latter case, the customers of DigiNotar
were left out in the cold. Without
The DigiNotar partnership has
Just thinking out loud here.
On 09/13/2011 01:41 PM, Yoav Nir wrote:
Locking yourself into a CA like that seems like a bad idea. Unlike
the Dutch government and Mozilla, most customers do not have the pull
to force CAs to submit to audits.
Or not, like the Dutch government, have the pull to
On Tue, Sep 13, 2011 at 12:37 PM, Daniel Kahn Gillmor
d...@fifthhorseman.net wrote:
So certificate pinning isn't bad in this case -- CA Certificate pinning
is bad.
Not even that, really. Pinning your CA and not having a backup pin
that chains up to a different CA is the bad thing.
On 13/09/11 13:06, Marsh Ray wrote:
Or not, like the Dutch government, have the pull to convince Mozilla to
hesitate for a few days to revoke your pwned CA.
That is rather unfair. You make it sound like they asked, and we
complied. In truth, we relied on an assessment of the situation from
On 13 Sep 2011, at 23:30, Marsh Ray wrote:
snip
Wouldn't they have to acquire a valid cert first? Not saying that's out of
the realm of possibility, but...
Yeah, but in the case that you've gained control of a domains DNS, which is
what happened, how hard would it be to get a valid DV