Re: [Fed-Talk] Apple's Rogue DigiNotar CA mitigation?
Re: [Fed-Talk] Apple's Rogue DigiNotar CA mitigation?
- Subject: Re: [Fed-Talk] Apple's Rogue DigiNotar CA mitigation?
- From: Rex Sanders <email@hidden>
- Date: Wed, 07 Sep 2011 08:29:03 -0700
Your tool might need to delete and untrust a few more certificates:
http://www.globalsign.com/company/press/090611-security-response.html
"On Sep 5th 2011 the individual/group previously confirmed to have
hacked several Comodo resellers, claimed responsibility for the recent
DigiNotar hack. In his message posted on Pastebin, he also referred to
having access to 4 further high profile Certificate Authorities, and
named GlobalSign as one of the 4."
"As a responsible CA, we have decided to temporarily cease issuance of
all Certificates until the investigation is complete."
Plus we have this disturbing development for the DigiNotar CA:
https://blog.torproject.org/blog/diginotar-damage-disclosure
"The most egregious certs issued were for *.*.com and *.*.org ..."
which enables a wide range of MITM attacks (no *.*.gov?)
-- Rex
On Sep 6, 2011, at 10:33 PM, Paul Suh wrote:
Folks,
I updated the installer and docs on my page. It now handles the
Extended Validation certificates case as well.
Please spread the word widely.
--Paul
Paul Suh
email@hidden
(240) 672-4212
http://ps-enable.com/
On Sep 2, 2011, at 5:55 PM, Paul Suh wrote:
Folks,
I've updated the tools mpkg on my web page so that it will:
1) Delete the "DigiNotar Root CA" and "DigiNotar Root CA G2"
certificates.
2) Import the "DigiNotar Services 1024 CA" and "DigiNotar Root
CA" intermediate certificates signed by Entrust and mark them as
not trusted.
3) Import the "DigiNotar PKIoverheid CA Overheid en Bedrijven"
and "DigiNotar PKIoverheid CA Organisatie G2" signed by the Dutch
national government CA and mark them as not trusted.
This is ready for deployment on Snow Leopard systems. It will work
but does not apply all trust settings on Lion. I will be working on
updating the text on the page to give more details.
Spread the word.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden