On 3/01/2009, at 6:06 AM, Steven M. Bellovin wrote:
On Fri, 2 Jan 2009 17:53:55 +0100 "Terje Bless" <link@pobox.com> wrote:
On Fri, Jan 2, 2009 at 5:44 PM, <Valdis.Kletnieks@vt.edu> wrote:
Hmm... so basically all deployed FireFox and IE either don't even try to do a CRL, or they ask the dodgy certificate "Who can I ask if you're dodgy?"
Hmm. Don't the shipped-with-the-browser trusted root certificates include a CRL URL?
Every CA runs its own CRL server -- it has to be that way.
But the engineered certificate won't be considered trusted if its whole chain back to the root isn't trusted, and one or more of the certificates in that chain should have been shipped with the browser and hopefully includes a CRL URL. Although they won't want to, surely the roots should revoke their root certificates that issued MD5-signed certificates, and issue new root certificates for issuing SHA-1-signed certificates. Browsers would then stop trusting all the MD5-signed certificates due to them not having a trusted chain back to the root, assuming they bother to check all the certificates in the chain for revocation. Of course, this will just make the browsers pop up dialog boxes which everyone will click OK on... -- Jasper Bryant-Greene Network Engineer, Unleash ddi: +64 3 978 1222 mob: +64 21 129 9458