Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Ouch, DigiNotar is revoked in Chrome? They didn't do anything wrong, someone else pretended to be them.


For somebody else to pretend to be then, in this case, they need their private key. As a CA, you can't have your private key leaked and then still be trusted by a browser.

Or they issued the *.google.com certificate by accident, but if you accidentally issue a certificate as a CA, you can't be trusted by a browser either.

IMHO, this was entirely justified.


They're being revoked in Firefox and IE too. Their certs are hopefully going to be worthless soon. The ONE THING you ask a CA to do is NOT LET ITS PRIVATE KEY BE USED FOR EVIL. ONE THING.


The only way this attack would have worked is if DigiNotar's private key, whose public key is included in the major CA whitelist in major browsers, signed the domain. So either they did it, or somebody stole their private key. Either way it is very much their responsibility.


And Mozilla products and apparently IE. Serves them right. I hope every time such a thing happens the CA gets kicked out and blacklisted for life.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: