Telecommunications regulator bars DigiNotar from issuing certificates
The Dutch telecommunications regulator (OPTA) has barred the DigiNotar Certificate Authority from issuing further qualified certificates. Certificates that have already been issued must be revoked. Qualified certificates are used, for example, by public authorities to provide legally binding signatures and are therefore equivalent to physical signatures. OPTA said that the certificates issued by DigiNotar can no longer be guaranteed to be trustworthy.
In July, DigiNotar was attacked by hackers who managed to obtain access to the company's entire CA infrastructure, including CAs such as PKIoverheid that are used by the Dutch government. An investigation into the intrusion found that the attackers were mainly interested in server certificates; they issued more than 500 certificates for popular domains such as google.com.
However, the security expert conducting the investigation could not entirely rule out the possibility that PKIoverheid and similar CAs may also have been compromised. DigiNotar, which is now managed by the Dutch ministry of the interior, has informed its customers about the official measures and given customers until 27 September to find a different provider. The scope is limited: OPTA says that about 4,200 customers are affected.
- Dutch government takes control of DigiNotar CA, a report from The H.