[cryptography] OT: DigiNotar Certificates Are Pulled, but Not on Smartphones

Jeffrey Walton noloader at gmail.com
Thu Sep 8 01:19:48 EDT 2011


(As far as I know, Apple has not fixed their desktop/server software
either. The folks that have to deal with it are still hacking
solutions [1]. Its not a big surprise, since Apple's PKI appears to be
generally broken from a programmer's perspective [2]).

http://www.pcworld.com/businesscenter/article/239607/diginotar_certificates_are_pulled_but_not_on_smartphones.html

Browser makers have generally been quick to react to the computer
compromise at digital certificate issuer DigiNotar, but that hasn't
been the case for all mobile phone makers.

On Tuesday neither Google nor Apple would comment on whether they plan
to revoke certificates issued by DigiNotar for Android or the iPhone,
even as desktop software makers pulled the plug on the Dutch company's
certificates.

Apple hasn't said anything about the DigiNotar situation since it was
disclosed last week, but Google was quick to revoke the company's
certificates for its Chrome browser last week. Its silence Tuesday
spoke to the complexity of its situation as both a victim of the
attacks and a provider of the software that can thwart them. The
problem is that Google's Android phones are updated via mobile phone
carriers, companies that are typically much slower to issue patches
than PC software vendors such as Microsoft.

...

[1] "Apple's Rogue DigiNotar CA mitigation?",
http://lists.apple.com/archives/fed-talk/2011/Sep/msg00003.html
[2] "SecKeyRef object without KeyChain",
http://lists.apple.com/archives/apple-cdsa/2009/Sep/msg00007.html



More information about the cryptography mailing list