The fallout from the recent security breach at DigiNotar, a Dutch Certificate Authority [CA], continues. As I’ve noted earlier, the major browser vendors have, effectively, “blacklisted” SSL certificates issued by DigiNotar. Now, a diary post at the SANS Internet Storm Center reports that OPTA, the independent post and telecommunications authority in the Netherlands, has terminated DigiNotar’s accreditation as an issuer of qualified certificates, used to generate digital signatures, effective September 14.
These certificates are important, because the law in most member countries of the European Union, in accordance with EU guideliines, provides that digital signatures produced with a certificate from an accredited CA are legally equivalent to manual signatures. The only way to contest such a signature is to prove fraud, so the existence of rogue signing certificates is potentially a very big problem. (The diary post provides more detail on this, and references to the pertinent EU directives.) A process is now underway to notify holders of DigiNotar signing certificates.
OPTA reports there are about 4200 qualified (signing) certificates issued by DigiNotar. These will now have to be contacted by DigiNotar under supervision of OPTA. These certificate holders will have to seek another provider if they have not done so already.
OPTA’s report suggests that, in addition to failing to comply with the relevant EU technical standards, DigiNotar may have violated a number of local laws.
All of this will probably be somethings of a black eye for PriceWaterhouseCoopers, DigiNotar’s regular auditor.
The Economist also has an article on the DigiNotar situation.