The fallout from the DigiNotar compromise continued on Tuesday, as Microsoft said it has now revoked its trust of all five of the certificate authority’s root certificates. The update that makes this change is being pushed out to users on all supported versions of Windows. Mozilla also released new versions of Firefox on Tuesday that revoke trust for all of DigiNotar’s certificates.
The move by Microsoft effectively makes any certificate that has been issued by DigiNotar untrusted by Internet Explorer and other Windows applications. Any IE user who visits a site that presents a DigiNotar-issued certificate as proof of identity will get an error message telling him that the certificate isn’t trusted. Microsoft’s change applies to these root certificates from DigiNotar:
- DigiNotar Root CA
- DigiNotar Root CA G2
- DigiNotar PKloverheid CA Overheid
- DigiNotar PKloverheid CA Organisatie – G2
- DigiNotar PKloverheid CA Overheid en Bedrijven
The software giant said that it has continued to investigate the DigiNotar attack and work with other certificate authorities and software vendors as they all look for viable solutions to what has become a huge problem. Also on Tuesday, responding to claims by the hacker who has taken credit for the DigiNotar attack that he also has compromised several other high-level CAs, GlobalSign, one of the CAs mentioned, said it is aware of the claim and is looking into it.
The company posted a message on its corporate Twitter feed, saying: “We are aware of the Comodo hacker BLOG that claims access to a number of major CAs including #GlobalSign. We are taking this claim seriously and are investigating.”
Mozilla released updates for Firefox 6.x and 3.x that revoke trust in all of DigiNotar’s certificates, a change from the previous update, which included an exception for certificates for the Dutch government’s PKI. The certificates from the Staat der Nederlanden intermediate CA are now untrusted by Firefox, as well as Internet Explorer.