Certificate Blunders May Mean the End For DigiNotar

← Back to Stories (view on slashdot.org)

Certificate Blunders May Mean the End For DigiNotar

Posted by timothy on Thursday September 15, 2011 @08:28AM from the web-of-trust-works-by-breaking dept.

Certificate Authority DigiNotar is having a rough time of it. dinscott writes with these words from Help Net Security: "After having its SSL and EVSSL certificates deemed untrustworthy by the most popular browsers, around 4200 qualified certificates — i.e. certificates used to create digital signatures — issued by the CA are currently in the process of being revoked and their holders notified of the fact by the Dutch independent post and telecommunication authority (OPTA). Starting from yesterday, OPTA has terminated the accreditation of DigiNotar as a certificate provider for 'qualified' certificates. The revocation of this accreditation also makes DigiNotar unqualified to issue certificates under the PKIoverheid CA."

5 of 128 comments (clear)

Min score:

Reason:

Sort:

But not the end for the CA system? by betterunixthanunix · 2011-09-15 08:32 · Score: 3, Insightful

It's not like we have reason to think that other CAs have not had unreported blunders. In fact, we have every reason to think that the whole CA system is broken, and is just hanging on because nobody is willing to put in the effort needed to replace it.

--
Palm trees and 8
1. Re:But not the end for the CA system? by icebraining · 2011-09-15 10:51 · Score: 3, Insightful
  
  The main benefit from this system is "trust agility". If someone hacks and obtains a root cert from Verisign, what are you (or the browser vendor) going to do? Keep the cert on the browser and risk being MITMed, or removing it and break half of encrypted websites? Diginotar was just a small CA, but what if a big one is hacked?
  Convergence/Perspectives lets you have more than one notary verifying each cert, which means you won't break anything if you need to remove trust on one of them. By itself this makes it much better than the CA system, in my opinion.
  
  --
  Dilbert RSS feed
The Price Of Trust by Wiz-Hum-Mal-Cha · 2011-09-15 08:34 · Score: 5, Insightful

If getting compromised and issuing bad certificates *didn't* cost you your position of trust, then what credibility would the certification process have anyway?
And good riddance to them... by SigILL · 2011-09-15 08:34 · Score: 5, Insightful

If you won't properly separate your security-critical systems from your Internet-facing systems, or cannot even keep them from being rooted multiple times, you have no business being a CA.
Honestly, it's understandable DigiNotar didn't want this information out: bankrupcy is inevitable now, and that's bad for shareholder value.

--
Error: password can't contain reverse spelling of ancient Chinese emperor
"Certificate Blunders May Mean the End.." by Dynamoo · 2011-09-15 08:44 · Score: 3, Insightful

What.. you reckon? They were tasked to do ONE THING and ended up in an epic case of fail and pwnage.

--
Never email donotemail@WeAreSpammers.com