Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Jimmy Hess mysidia at
Sun Sep 11 23:02:03 UTC 2011

On Sun, Sep 11, 2011 at 1:30 AM, Damian Menscher <damian at> wrote:
> On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess <mysidia at> wrote:
> Because of that lost trust, any cross-signed cert would likely be revoked by
> the browsers.  It would also make the browser vendors question whether the

I am not engaging in speculation that DigiNotar plans to continue to
operate, they have already stated so much.
"VASCO does not expect that the DigiNotar security incident will have
a significant impact on the company’s future revenue or business

So long as DigiNotar can show what they are required to show when they
would request
re-signing, and another CA can legitimately cross-sign their cert,
following that CA's official
correct certification practices;  it's unlikely to lead to the signer
being revoked.

As far as we know, DigiNotar is not dead,  it is just a really great
example showing how broken TLS security model is.
The trust model hard-coded into the protocol is much weaker than the

Since the browsers already approved that root CA's certification
practices. Particularly not
if the cross-signer is one of the larger CAs such as  Thawte or Verisign   ---
the browser might as well  remove SSL support altogether, if they will
perform a revokation
that renders 40% of internet web server SSL certs invalid.


More information about the NANOG mailing list