[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sun Sep 4 21:57:49 PDT 2011


Jacob Appelbaum <jacob at appelbaum.net> writes:

>Here's a blog post about it:
>https://blog.torproject.org/blog/diginotar-damage-disclosure

Woah!  Thanks for that.  So it's getting worse every time, now it's 531
certificates (another argument against blacklists, they're totally useless
against a manufactured-certificate attack like this).

>Here are the files with more raw information:
>https://svn.torproject.org/svn/projects/misc/diginotar/rogue-certs-2011-09-04.xlsx
>https://svn.torproject.org/svn/projects/misc/diginotar/rogue-certs-2011-09-04.csv

  "DigiNotar Extended Validation CA"
  "DigiNotar Extended Validation CA"
  [...]

So they'd issued themselves EV certs?  It's a pity the info isn't broken down
a bit more, e.g. basicConstraints flags, policies/OIDs, and so on, so we could
see how extensive the damage really is (well, beyond the general meltdown 
that's already obvious).

Peter.




More information about the Observatory mailing list