
The Dutch government has taken over operational management from DigiNotar. - franze
http://www.govcert.nl/english/service-provision/knowledge-and-publications/factsheets/factsheet-fraudulently-issued-security-certificate-discovered.html
======
stingraycharles
More specifically, they have taken over operational management of the
DigiNotar _servers_ :

"On 3 September, the Dutch government has taken over operational management of
the DigiNotar systems that are used for certificates."

[http://www.govcert.nl/binaries/live/govcert/hst%3Acontent/en...](http://www.govcert.nl/binaries/live/govcert/hst%3Acontent/english/service-
provision/knowledge-and-publications/factsheets/factsheet-fraudulently-issued-
security-certificate-discovered/factsheet-fraudulently-issued-security-
certificate-discovered/govcert%3AdocumentResource/govcert%3Aresource)

------
akie
Well, that's about as competent a response as you can realistically expect in
a situation like this. Kudos to the Dutch Government?

~~~
rickmb
Let's not start cheering just yet. Initially, the government failed to
acknowledge the seriousness of the issue, even though browser manufactures
revoked trust in the CA. In fact, they successfully pressured Mozilla into
accepting Dutch government certificates as trustworthy anyway.

It also kept all public services depending on Diginotar certificates
operational, basically telling the public "well, you can't trust them, but
feel free to use them anyway".

~~~
joelhaasnoot
They started with this, but ended differently: Friday September 2nd they had a
news conference and basically said "for now, it's insecure". DigiD, which is
what most consumers will see, had a message saying it couldn't be trusted,
till the certificates were replaced sometime saturday or sunday. The timing is
a little suspicious though: can imagine they didn't want to do that till the
weekend, when not as many business cared, or journalists were around to cover
all the details.

------
michiel3
And they denounced trust in all certificates that are issued by DigiNotar and
currently migrating to new CAs (Getronics). The digital identity portal DigiD
for government services is already migrated to Getronics CA.

------
mkopinsky
Does the Dutch government have the expertise necessary to run a CA?

~~~
burgerbrain
Does it particularly matter? All the browsers have de-trusted them already.

Not like they could really do any worse. Under previous management they
literally allowed the _one thing_ no CA must ever allow to happen.

~~~
tripzilch
You're conflating the Dutch Government and VASCO/Diginotar.

------
guildchatter
<http://www.net-security.org/secworld.php?id=11565>

It looks like many other bad SSL certs were issued.

------
rhizome
Have there been any stories on VASCO yet, or the people involved in either
company?

~~~
joelhaasnoot
There's now an article here [http://www.nu.nl/internet/2607758/diginotar-
negeerde-misbrui...](http://www.nu.nl/internet/2607758/diginotar-negeerde-
misbruik-en-was-slecht-beveiligd.html) which details the FoxIT (a Dutch
security firm) report on the situation. Looks like sysadmin passwords were
brute forced to obtain elevated access, and that keys were stored in a
seperate database (going against the written procedures and rules)

