Dutch government sets DigiNotar certificate kill date

The Dutch government will on Wednesday revoke both of its certificates that had been issued by the hacked DigiNotar certificate authority.The government said on Friday that there was no evidence the two certificates had been abused, but they were certainly compromised.

The Dutch government will on Wednesday revoke both of its certificates that had been issued by the hacked DigiNotar certificate authority.

The government said on Friday that there was no evidence the two certificates had been abused, but they were certainly compromised. DigiNotar suffered a break-in sometime before the end of August, which led to fraudulent certificates being issued. The Dutch government "denounced" its trust in DigiNotar's certificated shortly afterwards.

In some cases bogus DigiNotar certificates, which are intended to prove the authenticity of web services, have been used to launch man-in-the-middle attacks that intercept information. Microsoft, Google, Mozilla and Apple have all moved to protect their customers from the DigiNotar certificates.

Although the Dutch government does not appear to have been a victim, false certificates have been found for the intelligence services of the UK, US and Israel, as well as for online organisations such as Skype, Twitter, Facebook and the Tor project.

Adobe said on Friday that the Dutch government's upcoming revocation of the Staat der Nederlanden root certificates meant Adobe does not need to amend its Approved Trust List.

"With this latest action, new digital signatures created with certificates from these certificate families will no longer show as valid in Acrobat and Reader, regardless of version," Adobe said. "This is due to the fact that Acrobat and Reader check if certificates associated with the signing credential are revoked at signing and at document open."

Adobe added that existing DigiNotar-signed documents would not necessarily be invalidated, as Acrobat and Reader 9.1+ "check the validity of the signature at the signing time by default, not at the current time, assuming that the signature includes validation information from when it was signed".

DigiNotar itself is no more, having been liquidated on Tuesday last week. Parent company Vasco said at the time that it would cooperate with the Dutch government in trying to find the hacker who was responsible for the breach.

The possibly Iranian hacker who stole certificates from Comodo in March has claimed responsibility for DigiNotar, and also said earlier this month that he or she had compromised the Japanese certificate authority GlobalSign. GlobalSign confirmed one of its web servers had been compromised, but denied a wider intrusion had taken place.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All