In the wake of hundreds of fraudulent secure sockets layer certificates issued by DigiNotar, Google developers are preparing a version of the Chrome browser that rejects some web credentials sanctioned by the Dutch government's official certificate authority. Source code posted Thursday afternoon California time on Google's own …
Has PKIoverheid been comprimised?
"PKIoverheid has been compromised or otherwise is untrustworthy through its link to Diginotar"
Its not PKIoverheid that is untrustworthy, its any certificate that comes from Diginotar.
I'm guessing that this is probably "game over" for Diginotar. Are there any other companies that belong to the same owners/parent company? If so we should consider blocking them too.
I noticed that DigiNotar's own website is now using a cert from their sub-ordinate CA under PKIoverheid. I will be recommending my enterprise to have that DigiNotar CA removed from PCs and servers as well.
The number of root CAs listed in Trusted Root lists by default is far too big. There is no way that vendors have vetted all these except maybe check each has a CPS and CRL published? The last few versions of Firefox crash if they perform an OCSP request and get back response signed by a cert that is not the root cert. I recently tripped over the bug whilst setting up a PKI and it appears to have been around for years. So I can't recommend FF for secure enterprise use 8-(
Security conscious enterprises are limiting the trusted CA list to a small number for critical systems. Unfortunately most people are left with whatever the vendor decides to chuck in.
I think it's fair.
If we must rely on secrurity certificates, we have to know they are trustworthy, if we can't know that, then we shouldn't trust them. Being able to revoke Certificate Authority when you can not trust the certificates is completely appropriate, And, the system would be even more broken than it is if we never excersize that option.
Diginotar can reissue all thier old certs, and sign them with a new cert. Pain in the butt, but that's the solution that this system accomodates.
If any company is incompetent enough to not maintain security on it's root certificates, why should you trust them again? I will forever manually remove Diginotar, as well as other CA's that have/will break said trust from my certificate stores - I encourage others to follow. CA's need to know that trust is EVERYTHING in their business - and once you break that trust, it's game over... Burn me once, shame on you; burn me twice, shame on me.
Is it possible (within current standards) for two or more root authorities to countersign a certificate, in effect saying "we both/all believe that the holder of this certificate is who it says on the tin". (It certainly is for some purposes, because Windows' kernel-mode code signing does exactly that.)
If so, and if this were the common practice, the failure of a single root would not inspire mass distrust of the valid certificates and we wouldn't have situations like this.
A certificate authority that handles breaches slowly isn't much use.
Open the utility 'Keychain Access', click the padlock icon to authenticate as an admin, select the category 'Certificates', search for DigiNotar, select the certificate, and hit delete.
That doesn't revoke the certificates in question.
Nor will it properly revoke/distrust the DigiNotar root certificates - http://www.pcworld.com/businesscenter/article/239269/mac_os_x_cant_properly_revoke_dodgy_digital_certificates.html
But changing the DigiNotar entry (in KeyChain) to Untrusted (and leaving the entry there) shows a warning for any DigiNotar certificates.
Seems to be a Taboo Subject on Apple support forums? any post mentioning Digi(thingy) in any way are being deleted.
Firefox 6.0.1 for Linux Mint just said: www.nicugehoorscreening.nl uses an invalid security certificate.
Dutch language skills sadly declining
Spokesmen should brush up on their archaic Dutch genitive case plural definite article skills*:
a spokesman wrote in an email. "Our top priority is to protect the privacy and security of our users. To be clear, in this instance we are considering a CA operated by DigiNotar, not the Staat de Nederlanden root CA"
Staat de Nederlanden root CA
[State the Netherlands root CA]
Staat der Nederlanden root CA
[State of the Netherlands root CA]
* Sounds impressive, but honestly, my English skills might be below that of the spokesman mentioned - I have no idea whether what I just spouted is actually correct. But hey, this is a comment, so.... ;)
It's unclear when the changes will take effect in Firefox, Thunderbird or SeaMonkey
That's actually very clear. It already has. I already received an update to firefox a few days back, where the changelog clearly indicates that this update involves revoking trust to diginotar.
what if this isn't the only one?
Is it possible to get a certificate for a single website issued in parallel by multiple CA's?
Obviously, only a single certificate should be deployed (unless you really trust your load balancer), but I would then have at least one, unused and stored in a safe, that could be deployed in the event of a CA compromise.