VASCO/DigiNotar – the Entrust Perspective

Bruce Morton

So what happened? DigiNotar, a publicly trusted Certification Authority based in the Netherlands and a wholly owned subsidiary of VASCO, was compromised in July 2011. This compromise came to light in late August with the discovery of a fraudulent SSL certificate issued to *.google.com. The browser community took immediate steps to disable the DigiNotar root certificates. VASCO disclosed the incident on August 30 and it was subsequently discovered that over 500 fraudulent SSL certificates had been issued.

So what does this have to do with Entrust? Back in 2007, Entrust and DigiNotar entered into a relationship where Entrust issued cross-certificates for two DigiNotar certificate authorities. The cross-certificates made the DigiNotar certification authorities backwards compatible with legacy browsers and operating systems. The relationship ended when Entrust chose not to renew the agreement that expired on July 20, 2010. Thereafter, DigiNotar could not issue any new SSL certificates that utilized the Entrust cross certificates. The cross-certificates were to remain in place as a tail to the agreement until July 20, 2013; only certificates issued prior to July 20, 2010 could be used with the cross-certificates.

Given the breach DigiNotar suffered, Entrust revoked the DigiNotar cross-certificates on August 30, very soon after learning of the compromise and its scope. We also promptly made the DigiNotar cross-certificates available to the major browsers, so they could be placed on blacklists as an added measure of assurance. This is what led to the Microsoft security notification that the DigiNotar cross-certificates were added to the Untrusted Certificate Store.

It is imperative to understand that Entrust was not involved with the issuance of the fraudulent SSL certificates or the security incident at DigiNotar. The Entrust certification authority infrastructure was in no way compromised by this incident. This latest breach, while unfortunate, is fully an issue with DigiNotar and DigiNotar issued certificates.

While questions remain concerning VASCO/DigiNotar’s disclosure of the incident, the standard mechanisms for dealing with a root certificate compromise have operated properly to restore the integrity of the system.  All stakeholders are looking for lessons learned from this incident and the result will be a more secure Web.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

1 Comment

Add to the Conversation