[cryptography] An appropriate image from Diginotar

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Sep 1 00:20:01 EDT 2011

Lucky Green <shamrock at cypherpunks.to> writes:

>There is one useful data point that came from the DigiNotar mess-up: we now 
>know, thanks to Mozilla, Debian, and the SSL Observatory what the lower bound 
>is for a failed CA to be considered too big to fail.

There are additional confounding factors in this case, the CA doesn't seem to 
know how many other fraudulent certs are still floating around out there, so 
there's no alternative but to pull the root cert in order to deal with them.  
Google seem to be doing it by date range, specifically blocking certs issued 
during the known-compromised time interval.

>You must have issued some (unknown) number in excess of 701 SSL certs to
>not see your root pulled from certificate-consuming software when you mess up.
>@nocombat writes: SSL Observatory: select count(Subject) from
>valid_certs where Issuer like '%diginotar%' â01

They've only issued 700-odd SSL certs?  Wow, that's low.  OTOH since their 
gravy train is mainly built around the Dutch government's PKI letter of marque 
[0], I could imagine that their generic SSL cert business doesn't get much 


[0] They have some... interesting business practices designed to lock users 
    into their PKI services.

More information about the cryptography mailing list