Leif Johansson: > On 2014-01-02 23:50, Paul Hoffman wrote: >> On Jan 2, 2014, at 10:57 AM, Jacob Appelbaum <ja...@appelbaum.net> >> wrote: >> >>> I control the private key for the rouge CA that we created. >> True. However, that rogue CA is not trusted in any root pile, >> right? You holding a private key for a trusted CA was, >> appropriately a big deal. You holding a private key for an >> untrusted CA is uninteresting. >> > > My understanding of what Jakob wrote is that he holds the key for a > subordinate CA. Unless the CA that "signed" that subordinate has > been removed from trust lists then that subordinate would still be > useful, yes.
Yes, that is correct. And only people like Firefox actually ship it and explicitly distrust it, I believe. Perhaps others have followed since our original research. There are a few reasons a browser or program may not trust it - generally speaking, the expiry date is what we added to ensure that it wouldn't be abused. That is easy to solve though - just attack NTP first! :-) All the best, Jacob _______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey