Peter Gutmann | 1 Sep 06:20 2011
Picon
Picon
Picon

Re: An appropriate image from Diginotar

Lucky Green <shamrock@...> writes:

>There is one useful data point that came from the DigiNotar mess-up: we now 
>know, thanks to Mozilla, Debian, and the SSL Observatory what the lower bound 
>is for a failed CA to be considered too big to fail.

There are additional confounding factors in this case, the CA doesn't seem to 
know how many other fraudulent certs are still floating around out there, so 
there's no alternative but to pull the root cert in order to deal with them.  
Google seem to be doing it by date range, specifically blocking certs issued 
during the known-compromised time interval.

>You must have issued some (unknown) number in excess of 701 SSL certs to
>not see your root pulled from certificate-consuming software when you mess up.
>
>---
> <at> nocombat writes: SSL Observatory: select count(Subject) from
>valid_certs where Issuer like '%diginotar%' â01
>---

They've only issued 700-odd SSL certs?  Wow, that's low.  OTOH since their 
gravy train is mainly built around the Dutch government's PKI letter of marque 
[0], I could imagine that their generic SSL cert business doesn't get much 
attention.

Peter.

[0] They have some... interesting business practices designed to lock users 
    into their PKI services.
_______________________________________________
cryptography mailing list
cryptography@...
http://lists.randombit.net/mailman/listinfo/cryptography

Gmane