[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue Sep 6 00:51:39 PDT 2011


Erwann ABALEA <erwann at abalea.com> writes:

>Do you have any CA in mind doing this (ignoring the nonce)?

Yes, all of them:

  .Re: [pkix] Possible revocation delay issue with TLS stapling., Yngve
  Pettersen, posting to the pkix at ietf.org mailing list, message-ID
  op.u96yr9tikvaitl at lessa-ii, 26 March 2010.

(I'm assuming from your reaction that you guys don't ignore nonces, so I'll
qualify that with "every CA that the Opera folks are aware of").

>Starting with Windows XP (SP3 at most), the clock is synchronized with some
>servers (by default). It's also the same with MacOSX machines. Not at all
>with Linux (or any other Unix-like), though.

Windows may sync in theory, but it's not having much effect in practice.  A
few quick refs (which in turn point to further refs, you can chase these
across to various other web pages):

http://www.codinghorror.com/blog/2007/01/keeping-time-on-the-pc.html
http://blogs.msdn.com/b/oldnewthing/archive/2010/11/05/10086404.aspx

Peter.



More information about the Observatory mailing list