Certificate Blunders May Mean the End For DigiNotar 128
Certificate Authority DigiNotar is having a rough time of it. dinscott writes with these words from Help Net Security: "After having its SSL and EVSSL certificates deemed untrustworthy by the most popular browsers, around 4200 qualified certificates — i.e. certificates used to create digital signatures — issued by the CA are currently in the process of being revoked and their holders notified of the fact by the Dutch independent post and telecommunication authority (OPTA). Starting from yesterday, OPTA has terminated the accreditation of DigiNotar as a certificate provider for 'qualified' certificates. The revocation of this accreditation also makes DigiNotar unqualified to issue certificates under the PKIoverheid CA."
But not the end for the CA system? (Score:4, Insightful)
The Price Of Trust (Score:5, Insightful)
And good riddance to them... (Score:5, Insightful)
If you won't properly separate your security-critical systems from your Internet-facing systems, or cannot even keep them from being rooted multiple times, you have no business being a CA.
Honestly, it's understandable DigiNotar didn't want this information out: bankrupcy is inevitable now, and that's bad for shareholder value.
"Certificate Blunders May Mean the End.." (Score:4, Insightful)
Re:But not the end for the CA system? (Score:4, Insightful)
The main benefit from this system is "trust agility". If someone hacks and obtains a root cert from Verisign, what are you (or the browser vendor) going to do? Keep the cert on the browser and risk being MITMed, or removing it and break half of encrypted websites? Diginotar was just a small CA, but what if a big one is hacked?
Convergence/Perspectives lets you have more than one notary verifying each cert, which means you won't break anything if you need to remove trust on one of them. By itself this makes it much better than the CA system, in my opinion.