[Top] [All Lists]

Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate

2009-01-05 09:57:16
Yoav Nir wrote:

This sounds great at an IETF mike, but out in the field how do you get all those millions of browsers to pull down a new trust list that will no longer include CA foobar?

Can't happen now, and the way things are going, ain't going to happen before 2026 either.

There's this one company such that if they use Windows update to update their browsers, the others will follow. Technically, it's very easy to get rid of the bad CAs. However, that company is not going to modify their browsers, not now, probably not in the next few years.

I hate to burst your bubble, but there's no automated way to *remove* certs from the MS cert store. You have to script it, and the script can fail any number of different ways.

The only reliable way to nuke a trusted cert from Windows is touch management of workstations.

-- Tim

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

<Prev in Thread] Current Thread [Next in Thread>