A Dutch agency that regulates the actions of telecommunications providers has revoked DigiNotar’s ability to issue certificates for digital signatures. The agency said that because of the way that DigiNotar behaved during the attack on its certificate authority infrastructure, the company no longer has the authority to issued so-called qualified certificates.
In a report released on Wednesday, the Board of the Independent Post and Telecommunications Authority (OPTA) said that because there was evidence of an attacker having compromised the server that was used to issue qualified certificates, the agency couldn’t allow DigiNotar to continue issuing those certificates.
“Signs of hacker activity (using administrative rights) found on the CA server used for the issuance of qualified certificate. This means that an unauthorized third party (hacker) has been active on the CA server that is used for issuing qualified certificates. Using administrative rights of a data server can be manipulated on the server, removed or removed. The integrity of the data on the CA server that is used for production and issuance of qualified certificates is therefore impossible to guarantee,” a translation of the Dutch report reads.
Qualified certificates mainly are used to create digital signatures.
The attack on DigiNotar has expanded from the discovery of a rogue certificate for *.google.com that was being used actively in Iran to intercept users’ traffic, to the eventual realization that there were more than 500 fraudulent certificates issued for various domains, to the current situation in which the browser vendors have revoked trust for all of the company’s root certificates and now the Dutch regulators have removed the company’s ability to issue qualified certificates.
Swa Frantzen at the SANS Internet Storm Center said that the decision by the Dutch regulator means that any customer with one of the qualified certificates will now have to find a way to replace it.
“OPTA reports there are about 4200 qualified (signing) certificates issued by DigiNotar. These will now have to be contacted by DigiNotar under supervision of OPTA. These certificate holders will now really have to seek another provider if they have not done so already,” Frantzen said in a blog post. “The revocation as an accredited provider, also means that DigiNotar also doesn’t meet the requirements for their PKIOverheid activities anymore.”