DigiNotar can not issue certificates for digital signatures, said the Dutch agency that regulates the actions of telecommunications providers.
The agency said because of the way DigiNotar behaved during the attack on its certificate authority infrastructure, the company no longer has the authority to issued qualified certificates.
Because there was evidence of an attacker having compromised the server used to issue qualified certificates, the agency couldn’t allow DigiNotar to continue issuing those certificates, said a report released by the Board of the Independent Post and Telecommunications Authority (OPTA).
“Signs of hacker activity (using administrative rights) found on the CA server used for the issuance of qualified certification. This means that an unauthorized third party (hacker) has been active on the CA server that is used for issuing qualified certificates. Using administrative rights of a data server can be manipulated on the server, removed or removed. The integrity of the data on the CA server that is used for production and issuance of qualified certificates is therefore impossible to guarantee,” the Dutch report reads.
Qualified certificates mainly create digital signatures.
The attack on DigiNotar expanded from the discovery of a rogue certificate for *.google.com used actively in Iran to intercept users’ traffic, to the eventual realization there were more than 500 fraudulent certificates issued for various domains, to the current situation in which the browser vendors have revoked trust for all of the company’s root certificates and now the Dutch regulators have removed the company’s ability to issue qualified certificates.
Swa Frantzen at the SANS Internet Storm Center said the decision by the Dutch regulator means that any customer with one of the qualified certificates will now have to find a way to replace it.
“OPTA reports there are about 4200 qualified (signing) certificates issued by DigiNotar. These will now have to be contacted by DigiNotar under supervision of OPTA. These certificate holders will now really have to seek another provider if they have not done so already,” Frantzen said. “The revocation as an accredited provider, also means that DigiNotar also doesn’t meet the requirements for their PKIOverheid activities anymore.”