[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Mon Sep 5 20:04:31 PDT 2011
Larry Seltzer <larry at larryseltzer.com> writes:
>>Since you can't directly invalidate an unknown cert, the only way to do it
>>is pull the root.
>
>The whitelist I was referring to was the trusted root collection. Isn't this
>a whitelist?
We're going round in circles here. Let me try again:
1. Iranians[0] compromise Verisign and issue themselves a cert with it.
2. Since it wasn't an official cert issue, there's no record of it existing.
How do you propose to invalidate the cert?
Peter.
[0] I was going to say "hackers" but "Iranians" comes with a good track record
:-).
More information about the Observatory
mailing list