Linked by Thom Holwerda on Mon 5th Sep 2011 22:26 UTC
Privacy, Security, Encryption So, people from within Iran have hacked the Dutch company DigiNotar, allowing them to issue fake certificates so they could listen in on Iranian dissidents and other organisation within Iran. This is a very simplified version of the story, since it's all quite complicated and I honestly don't even understand all of it. In any case, DigiNotar detected the intrusion July 19, but didn't really do anything with it until it all blew up in their face this past week. Now, the Dutch government has taken over operational management of DigiNotar... But as a Dutch citizen, that doesn't really fill me with confidence, because, well - whenever the Dutch government does anything even remotely related to IT technology, they mess it up. And mess it up bad.
Thread beginning with comment 488738
To view parent comment, click here.
To read all comments associated with this story, please click here.
Lennie
Member since:
2007-09-22

"Even if we assume that it's possible to audit the internal security of a CAs in a comparatively meaningful way, that knowledge is not really public."

Every CA in the browser has to have a frequent audit to check if they still comply with the rules set out by the CAB-forum (CAB is Certification Authority/Browser Forum).

An external party comes in ones or twice a year and checks if they abide by the rules.

This is like a notary* they check if you have procedures in place to do all the tasks that are required.

But that is all they do, they do not check any technical stuff, just rules and procedures.

I think there is one organisation which does most of those, maybe 90%: WebTrust.

I believe, the rules did not say anything about transparancy and disclosure of breakins. Not even to the members of the CAB-forum.

* Ironically the organisations that started this discussion is called DigiNotar

Reply Parent Score: 2