At 16:49 17-11-2013, Theodore Ts'o wrote:
One of the reasons why the bogus Diginotar certificates were detected
was because Google Chrome had a feature called "certificate pinning"
--- which is not a feature normally associated with PKI's. It's
unfortunately not all that scalable, since it involved hard-coding
certificates, or their hashes, in the browser binary. The challenge
is coming up with a solution that *is* more scalable, and less
dependent on trusting that CA's are competently run.
Yes.
The certificate was issued on July 10, 2011. The user report was
filed on August 27, 2011.
At 17:32 17-11-2013, Phillip Hallam-Baker wrote:
Diginotar would have noticed the issue if they had been checking
their OCSP logs as well.
This raises the question of whether the ETSI audits were of any use.
Regards,
-sm