Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - DigiNotar looses their accreditation for qualified certificates InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

DigiNotar looses their accreditation for qualified certificates

Published: 2011-09-15
Last Updated: 2011-09-15 11:22:49 UTC
by Swa Frantzen (Version: 1)
5 comment(s)

Next to being a provider of SSL certificates (which most browsers now distrust), DigiNotar also issued so-called "qualified" certificates. These are used to create digital signatures and they are much stricter regulated that the run of the mill SSL and EVSSL certificates we all know from web servers and the like.

OPTA, the Dutch independent post and telecommunication authority - think of them as the regulator- , has terminated [in Dutch] the accreditation of DigiNotar as a certificate provider on Sept 14th, 2011. This pertains to their qualified certificates.

It's probably best to give a very short introduction on what qualified certificates, accredited providers are and why this is so important.

The EU has issued guidelines (Directive 1999/93/EC) that have been translated in local law by member states such as the Netherlands that establish legal value in digital signatures. There are a number of levels of trust in this from the legislators. Typically -local laws differ a bit sometimes, but they all implement the same concept- a digital signature is going to be -by law- equivalent to a manual one. At the lowest level a digital signature can be as little as writing your name under an email, but all remains to be proven in court afterwards. It gets more interesting on the higher levels: if the digital signature is proven to be a qualified digital signature, the equivalence to a manual signature is automatic (i.e. no discussion in court). But it still needs to be proven that the digital signature is in fact qualified. The ultimate level however are qualified digital signatures made with the means provided by an accredited provider. There the proof that the digital signature is qualified is automatic as well as it's done up front (in the audits of the accredited providers).

This all is guided under the ETSI TS 101 456 standard from a more technical point of view. This standard sets the requirements.

Since the means provided by an accredited provider can be used to create digital signatures that are almost only disputable if one proofs fraud, it's to all of us -esp those living or doing business in the EU- of critical importance that there are no rogue qualified certificates out there with our name on it as they carry such a high legal weight.

OPTA reports a timeline that's been mostly public knowledge except for their own actions and the interaction with DigiNotar and their auditors. The report concludes that DigiNotar was not only not acting in accordance to ETSI TS 101 456 on quite a few points, but also breaking the relevant local laws.

OPTA also names PriceWaterhouseCoopers as the (regular) auditors of DigiNotar, but does not go as far as to name them the ones that gave them the apparent clean bill of health on July 27th, 2011: "A number of servers were compromised. The hackers have obtained administrative rights to the outside webservers, the CA server “Relaties-CA” and also to “Public-CA”. Traces of hacker activity started on June 17th and ended on July 22nd". Which was later dramatically proven to be untrue.

OPTA reports there are about 4200 qualified (signing) certificates issued by DigiNotar. These will now have to be contacted by DigiNotar under supervision of OPTA. These certificate holders will have to seek another provider if they have not done so already.

The revocation as an accredited provider, also means that DigiNotar doesn't meet the requirements for their PKIOverheid activities anymore.

Swa Frantzen -- Section 66

Keywords: breach DigiNotar ssl
5 comment(s)
Diary Archives