Lucky Green writes:
>There is one useful data point that came from the DigiNotar mess-up: we
>know, thanks to Mozilla, Debian, and the SSL Observatory what the lower
>is for a failed CA to be considered too big to fail.
There are additional confounding factors in this case, the CA doesn't seem
know how many other fraudulent certs are still floating around out there,
there's no alternative but to pull the root cert in order to deal with
Google seem to be doing it by date range, specifically blocking certs
during the known-compromised time interval.
>You must have issued some (unknown) number in excess of 701 SSL certs to
>not see your root pulled from certificate-consuming software when you mess
>@nocombat writes: SSL Observatory: select count(Subject) from
>valid_certs where Issuer like '%diginotar%' Ă˘01
They've only issued 700-odd SSL certs? Wow, that's low. OTOH since their
gravy train is mainly built around the Dutch government's PKI letter of
, I could imagine that their generic SSL cert business doesn't get much
 They have some... interesting business practices designed to lock users
into their PKI services.