On Mon, Nov 18, 2013 at 2:04 AM, SM <sm@xxxxxxxxxxxx> wrote:
At 16:49 17-11-2013, Theodore Ts'o wrote:Yes.
One of the reasons why the bogus Diginotar certificates were detected
was because Google Chrome had a feature called "certificate pinning"
--- which is not a feature normally associated with PKI's. It's
unfortunately not all that scalable, since it involved hard-coding
certificates, or their hashes, in the browser binary. The challenge
is coming up with a solution that *is* more scalable, and less
dependent on trusting that CA's are competently run.
The certificate was issued on July 10, 2011. The user report was filed on August 27, 2011.This raises the question of whether the ETSI audits were of any use.
At 17:32 17-11-2013, Phillip Hallam-Baker wrote:
Diginotar would have noticed the issue if they had been checking their OCSP logs as well.
DigiNotar did not have an audit for the system that was compromised.
They had an audit for a PKI they were running for the federal govt. It did not actually cover the public CA.
Website: http://hallambaker.com/