Is this the end of the line for DigiNotar?
DigiNotar is going down quickly and in flames.
After having its SSL and EVSSL certificates deemed untrustworthy by the most popular browsers, around 4200 qualified certificates – i.e. certificates used to create digital signatures – issued by the CA are currently in the process of being revoked and their holders notified of the fact by the Dutch independent post and telecommunication authority (OPTA).
ISC reports that, starting from yesterday, OPTA has terminated the accreditation of DigiNotar as a certificate provider for “qualified” certificates. The revocation of this accreditation also makes DigiNotar unqualified to issue certificates under the PKIoverheid CA.
After having exchanged information with DigiNotar and its auditors, OPTA came to the conclusion that not only has the CA not adhered to the European guidelines and standards governing the issuing of qualified certificates, but has also broken a few local laws.
OPTA’s report also finally revealed the auditing firm that missed the rogue Google SSL certificate in July: it’s PriceWaterhouseCoopers.
“It’s game over for DigiNotar. Very soon they will officially no longer be a valid entity to issue certificates,” commented recently Andrew Storms, Director of Security Operations for nCircle, and it seems that he was right.