Microsoft deems all DigiNotar certificates untrustworthy

Microsoft has updated Security Advisory 2607712, to announce that based on its investigation, it has deemed all DigiNotar certificates to be untrustworthy and have moved them to the Untrusted Certificate Store.

Microsoft recognizes that this issue is an industry problem, and has been actively collaborating with certificate authorities, governments, and software vendors to help protect its mutual customers.

Andrew Storms, Director of Security Operations for nCircle comments: “It’s game over for DigiNotar. Very soon they will officially no longer be a valid entity to issue certificates.”

Last week Microsoft removed DigiNotar’s commercial root certificates from their products, an extraordinary step. This week they have moved those two certificates and three others related to the Dutch government into the “un-trusted’ category. The result is that all Windows computers explicitly do not trust DigiNotar.

Cumulatively, these steps will have a monumental impact on the Dutch government’s websites and their ability to function.

Microsoft says they will not offer today’s update to Dutch users. Microsoft will identify users based on their geographic location, and Dutch users will not receive the automatic update for one week. This delay will hopefully give the Dutch government enough time to update their websites.

The problem for the Dutch online infrastructure is very serious; even the Dutch government was quoted in a press release yesterday saying that their own websites could not be trusted.

I’m sure the Dutch government is learning a hard, but important lesson from this ongoing fiasco. Trusting DigiNotar’s critical online infrastructure role without spending the time to independently audit their operations has undoubtedly cost the Dutch government a lot of time and money. It has certainly caused a great deal of international embarrassment.”