[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sun Sep 4 21:57:49 PDT 2011
Jacob Appelbaum <jacob at appelbaum.net> writes:
>Here's a blog post about it:
>https://blog.torproject.org/blog/diginotar-damage-disclosure
Woah! Thanks for that. So it's getting worse every time, now it's 531
certificates (another argument against blacklists, they're totally useless
against a manufactured-certificate attack like this).
>Here are the files with more raw information:
>https://svn.torproject.org/svn/projects/misc/diginotar/rogue-certs-2011-09-04.xlsx
>https://svn.torproject.org/svn/projects/misc/diginotar/rogue-certs-2011-09-04.csv
"DigiNotar Extended Validation CA"
"DigiNotar Extended Validation CA"
[...]
So they'd issued themselves EV certs? It's a pity the info isn't broken down
a bit more, e.g. basicConstraints flags, policies/OIDs, and so on, so we could
see how extensive the damage really is (well, beyond the general meltdown
that's already obvious).
Peter.
More information about the Observatory
mailing list