On Mon, Sep 12, 2011 at 1:39 PM, Robert Bonomi <bonomi@mail.r-bonomi.com> wrote:
Date: Mon, 12 Sep 2011 11:22:11 -0400 Subject: Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates From: Christopher Morrow <morrowc.lists@gmail.com>
I think I need a method that the service operator can use to signal to my user-client outside the certificate itself that the certificate #1234 is the 'right' one.
A certificate that cdrtifies the crertificate is valid, maybe?
so the DANE work does this, sort of... you sign (with dnssec) your cert fingerprint, the client does a lookup (requiring dnssec signed responses) to verify that the cert FP matches that which is in DNS.
And why would you trust that any more than the origial certificate?
at least in this case the domain owner (presumably the service owner in question) has signed (with their private key) the DNS content you get back. There are failure modes, but it's more in line with the service-owner/service-user level not some oddball thirdparty.
Seriously, about the only way I see to ameliorate this kind of problem is for people to use self-signed certificates that are then authenticated by _multiple_ 'trust anchors'. If the end-user world raises warnings for a certificate 'authenticated' by say, less than five separate entities. then the compomise of any _single_ anchor is of pretty much 'no' value. Even better, let the user set the 'paranoia' level -- how many different 'trusted' authorities have to have authenticated the self-signed certificate before the user 'really trusts' it.
this almost sounds like GPS position fixing... 'require 4 satellites in view', or something along those lines. Interesting as an idea though. -chris