[cryptography] An appropriate image from Diginotar
pgut001 at cs.auckland.ac.nz
Thu Sep 1 00:20:01 EDT 2011
Lucky Green <shamrock at cypherpunks.to> writes:
>There is one useful data point that came from the DigiNotar mess-up: we now
>know, thanks to Mozilla, Debian, and the SSL Observatory what the lower bound
>is for a failed CA to be considered too big to fail.
There are additional confounding factors in this case, the CA doesn't seem to
know how many other fraudulent certs are still floating around out there, so
there's no alternative but to pull the root cert in order to deal with them.
Google seem to be doing it by date range, specifically blocking certs issued
during the known-compromised time interval.
>You must have issued some (unknown) number in excess of 701 SSL certs to
>not see your root pulled from certificate-consuming software when you mess up.
>@nocombat writes: SSL Observatory: select count(Subject) from
>valid_certs where Issuer like '%diginotar%' Ã¢01
They've only issued 700-odd SSL certs? Wow, that's low. OTOH since their
gravy train is mainly built around the Dutch government's PKI letter of marque
, I could imagine that their generic SSL cert business doesn't get much
 They have some... interesting business practices designed to lock users
into their PKI services.
More information about the cryptography