Microsoft deems all DigiNotar certificates untrustworthy, releases updates

[paul at paulgraydon.co.uk (Paul)]

On 09/09/2011 11:48 AM, Marcus Reid wrote:
> On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote:
>> FYI!!!
>>
>> http://seattletimes.nwsource.com/html/microsoftpri0/2016132391_microsoft_dee
>> ms_all_diginotar_certificates_untrust.html
>>
>> Google and Mozilla have also updated their browsers to block all DigiNotar
>> certificates, while Apple has been silent on the issue, a emblematic zombie
>> response!
> Apple has sent out a notification saying that they are removing
> DigiNotar from their list of trusted root certs.
>
> I like this response; instant CA death penalty seems to put the
> incentives about where they need to be.
>
> Marcus
>
Instant?  This has been going on for over a week, and a lot of damage 
could have been done in that time, especially given certs for *.*.com 
were signed against Diginotar.  Most cell phones are unable to update 
their certificates without an upgrade and you know how long it takes to 
get them through Cell Phone carriers.  A number of alternative android 
builds are adding the ability to control accepted root certs to their 
builds in the interest of speeding this up.  The CA system is 
fundamentally flawed.

Paul