[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Tue Sep 6 00:51:39 PDT 2011
Erwann ABALEA <erwann at abalea.com> writes:
>Do you have any CA in mind doing this (ignoring the nonce)?
Yes, all of them:
.Re: [pkix] Possible revocation delay issue with TLS stapling., Yngve
Pettersen, posting to the pkix at ietf.org mailing list, message-ID
op.u96yr9tikvaitl at lessa-ii, 26 March 2010.
(I'm assuming from your reaction that you guys don't ignore nonces, so I'll
qualify that with "every CA that the Opera folks are aware of").
>Starting with Windows XP (SP3 at most), the clock is synchronized with some
>servers (by default). It's also the same with MacOSX machines. Not at all
>with Linux (or any other Unix-like), though.
Windows may sync in theory, but it's not having much effect in practice. A
few quick refs (which in turn point to further refs, you can chase these
across to various other web pages):
http://www.codinghorror.com/blog/2007/01/keeping-time-on-the-pc.html
http://blogs.msdn.com/b/oldnewthing/archive/2010/11/05/10086404.aspx
Peter.
More information about the Observatory
mailing list