Diginotar Responds To Rogue Certificate Problem 177
An anonymous reader writes "Vasco, the owner of the DigiNotar CA implicated in the MITM attacks on Iranian Google users has responded to their fraudulently issued certificate problems. The press release reads: 'On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com. Once it detected the intrusion, DigiNotar has acted in accordance with all relevant rules and procedures. At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate'. It is not clear whether the latter certificate is the one used in Iran, or whether other certificates remain at large. I guess removing the root certificate from browsers is the correct response."
So they don't know... (Score:4, Insightful)
... how many forged certs are now in the wild? Nuke the CA, they are incompetent.
To whom it make concern: (Score:5, Insightful)
So, is there any reason that this company shouldn't just be sold for scrap now? Their security clearly isn't good enough, their secretive attitude isn't exactly in line with being a 'trusted' certificate authority, and they can't even hire the right outside assistance to help them clean up their own messes. Hell, at this point, my very own FuzzyFuzzyFungus' SporeCert(tm) trust solutions would appear to be a better bet...
Root certs need to be restricted by TLD (Score:5, Insightful)
Currently, root certificates are wildcards, usable for any TLD. They need to be restricted to a single TLD, or a short list.
Single-nation CAs and government-operated CAs should be restricted to their TLD. For the generic TLDs, ("com", ".net", etc,) the CA/Browser Forum should require the CAs to post a large bond [cabforum.org], from which a penalty is forfeited if any improperly issued cert is found. That should get the problem under control.
Re:Re comodo (Score:3, Insightful)
That's because you're a paranoid wingnut. Believe it or not there are some jobs best left to the government. If you genuinely feel that way, Somalia is =========> that away.