Adobe said on Friday that its products would soon reject certificates issued by the disgraced Dutch certificate authority DigiNotar following the Dutch government’s decision, Friday, to revoke DigiNotar PKIoverheid CA certificates used by government agencies on September 28.
The news sets an official date for the end of the government’s support of DigiNotar, which had previously been a prime supplier of online credentials to the Dutch government. Following decertification, Adobe said that new certificates issued from DigiNotar certificate families will be flagged as invalid by most of its software, though certificates issued before next Friday would be considered valid.
In an announcement on a government Web site Friday, Dutch authorities said that the government’s PKIoverheid Policy Authority ( PA ) will revoke both DigiNotar PKIoverheid CA certificates on Wednesday 28 September 2011. The government cited a September 5 report by forensic investigators with Fox-IT that said that it was likely that both commercial and government certificate authorities operated by DigiNotar were compromised, though it appears that the government CA was not used to issue fraudulent certificates. It also noted DigiNotar‘s recent decision to file for bankruptcy protection.
The government further defended its decision not to revoke both DigiNotar CA certificates after the breach was discovered, saying it needed to more fully understand the dimensions of the security breach and conduct a “controlled transition scenario” to another CA.
In a corresponding post on Friday, Adobe said that its Acrobat and Reader applications would flag digital signatures created with DigiNotar certificates as invalid, regardless of the version of the software. However, versions 9.1 and later of Acrobat and Reader will continue to accept DigiNotar signatures used on existing documents as valid and trusted. Those versions of Acrobat and Reader check the validity of the signature at the signing time by default, rather than checking them at the time they are accessed, Adobe said.
Adobe was among a slew of firms to respond to the August compromise by revoking trust in hundreds of DigiNotar certificates that were found to be fraudulently issued. They included certificates for domains belonging to Microsoft, Google, Mozilla, the Tor Project and (eventually) Apple.
The hack is believed to be the work of an Iranian hacker who also claimed credit for a compromise at Comodo, another certificate authority, in March. It has raised serious concerns about the security of Web and Internet communications in an age where sophisticated attacks – often with political motives and nation-state backing – are becoming more prevalent.
Editor’s Note: The introductory paragraph was updated to indicate that the Adobe products would reject DigiNotar certificates following the Dutch Government’s decision to decertify the PKIOverheid CAs. Also, the fourth paragraph was changed to indicate that Adobe Version 9.1 products check for valid at signing time by default. (September 27. 2011)