Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Peter Gutmann <pgut001-kVWAYfnMFF2W8ldZTk/re6VXKuFTiq87 <at> public.gmane.org>
Subject: Re: An appropriate image from Diginotar
Newsgroups: gmane.comp.security.cryptography.randombit
Date: Thursday 1st September 2011 04:20:01 UTC (over 5 years ago)
Lucky Green  writes:

>There is one useful data point that came from the DigiNotar mess-up: we
now 
>know, thanks to Mozilla, Debian, and the SSL Observatory what the lower
bound 
>is for a failed CA to be considered too big to fail.

There are additional confounding factors in this case, the CA doesn't seem
to 
know how many other fraudulent certs are still floating around out there,
so 
there's no alternative but to pull the root cert in order to deal with
them.  
Google seem to be doing it by date range, specifically blocking certs
issued 
during the known-compromised time interval.

>You must have issued some (unknown) number in excess of 701 SSL certs to
>not see your root pulled from certificate-consuming software when you mess
up.
>
>---
>@nocombat writes: SSL Observatory: select count(Subject) from
>valid_certs where Issuer like '%diginotar%' â01
>---

They've only issued 700-odd SSL certs?  Wow, that's low.  OTOH since their 
gravy train is mainly built around the Dutch government's PKI letter of
marque 
[0], I could imagine that their generic SSL cert business doesn't get much 
attention.

Peter.

[0] They have some... interesting business practices designed to lock users

    into their PKI services.
 
CD: 2ms