[cryptography] An appropriate image from Diginotar

Lucky Green shamrock at cypherpunks.to
Wed Aug 31 22:43:43 EDT 2011


On 2011-08-30 10:02, Peter Gutmann wrote:
> http://www.diginotar.com/Portals/0/Skins/DigiNotar_V7_COM/image/home/headerimage/image01.png
> 
> The guy in the background must have removed his turban/taqiyah for the photo.

There is one useful data point that came from the DigiNotar mess-up: we
now know, thanks to Mozilla, Debian, and the SSL Observatory what the
lower bound is for a failed CA to be considered too big to fail.

You must have issued some (unknown) number in excess of 701 SSL certs to
not see your root pulled from certificate-consuming software when you
mess up.

---
@nocombat writes: SSL Observatory: select count(Subject) from
valid_certs where Issuer like '%diginotar%' → 701
---

So far, we only knew what the upper bound is to be considered too big to
fail, which was the number of certs issued by Comodo and Symantec
(VeriSign).

--Lucky Green



More information about the cryptography mailing list