[SSL Observatory] DigiNotar Compromise
Gervase Markham
gerv at mozilla.org
Sat Sep 3 11:50:52 PDT 2011
On 03/09/11 14:31, Peter Gutmann wrote:
>> My blog post gives some more information (including a list of CNs) which may
>> be of interest :-)
>
> DigiCert Root CA
> Equifax Root CA
> Thawte Root CA
> VeriSign Root CA
>
> Does this mean they issued themselves CA certs as well as EE ones?
I do not have the cert contents, so cannot say. I would stick a finger
in the air and say "unlikely", given that if they managed that, they
wouldn't have needed to come back for more, or issue all the others, and
they seemed to be (ab)using standard certificate profiles, which of
course wouldn't allow this.
But I agree it's odd. Then again, in Comodogate, we had some weird CNs
which were never well explained.
Gerv
More information about the Observatory
mailing list