Google might shun Dutch gov certificates from DigiNotar In the wake of hundreds of fraudulent secure sockets layer certificates issued by DigiNotar, Google developers are preparing a version of the Chrome browser that rejects some web credentials sanctioned by the Dutch government's official certificate authority. Source code posted Thursday afternoon California time on Google's own …
"PKIoverheid has been compromised or otherwise is untrustworthy through its link to Diginotar"
Its not PKIoverheid that is untrustworthy, its any certificate that comes from Diginotar.
I'm guessing that this is probably "game over" for Diginotar. Are there any other companies that belong to the same owners/parent company? If so we should consider blocking them too.
I noticed that DigiNotar's own website is now using a cert from their sub-ordinate CA under PKIoverheid. I will be recommending my enterprise to have that DigiNotar CA removed from PCs and servers as well.
The number of root CAs listed in Trusted Root lists by default is far too big. There is no way that vendors have vetted all these except maybe check each has a CPS and CRL published? The last few versions of Firefox crash if they perform an OCSP request and get back response signed by a cert that is not the root cert. I recently tripped over the bug whilst setting up a PKI and it appears to have been around for years. So I can't recommend FF for secure enterprise use 8-(
Security conscious enterprises are limiting the trusted CA list to a small number for critical systems. Unfortunately most people are left with whatever the vendor decides to chuck in.
If we must rely on secrurity certificates, we have to know they are trustworthy, if we can't know that, then we shouldn't trust them. Being able to revoke Certificate Authority when you can not trust the certificates is completely appropriate, And, the system would be even more broken than it is if we never excersize that option.
Diginotar can reissue all thier old certs, and sign them with a new cert. Pain in the butt, but that's the solution that this system accomodates.
If any company is incompetent enough to not maintain security on it's root certificates, why should you trust them again? I will forever manually remove Diginotar, as well as other CA's that have/will break said trust from my certificate stores - I encourage others to follow. CA's need to know that trust is EVERYTHING in their business - and once you break that trust, it's game over... Burn me once, shame on you; burn me twice, shame on me.
Is it possible (within current standards) for two or more root authorities to countersign a certificate, in effect saying "we both/all believe that the holder of this certificate is who it says on the tin". (It certainly is for some purposes, because Windows' kernel-mode code signing does exactly that.)
If so, and if this were the common practice, the failure of a single root would not inspire mass distrust of the valid certificates and we wouldn't have situations like this.
Spokesmen should brush up on their archaic Dutch genitive case plural definite article skills*:
a spokesman wrote in an email. "Our top priority is to protect the privacy and security of our users. To be clear, in this instance we are considering a CA operated by DigiNotar, not the Staat de Nederlanden root CA"
Staat de Nederlanden root CA
[State the Netherlands root CA]
should be
Staat der Nederlanden root CA
[State of the Netherlands root CA]
* Sounds impressive, but honestly, my English skills might be below that of the spokesman mentioned - I have no idea whether what I just spouted is actually correct. But hey, this is a comment, so.... ;)
Is it possible to get a certificate for a single website issued in parallel by multiple CA's?
Obviously, only a single certificate should be deployed (unless you really trust your load balancer), but I would then have at least one, unused and stored in a safe, that could be deployed in the event of a CA compromise.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
