Diginotar declared bankrupt

Published: 2011-09-20
Last Updated: 2011-09-20 11:16:50 UTC
by Swa Frantzen (Version: 1)
5 comment(s)

In the latest installment of this seemingly never-ending saga, a Dutch court in Haarlem (NL) declared DigiNotar bankrupt.

Read more:

The CA business is all about selling trust. After all a CA is supposed to be a trusted third party. Let's hope all the remaining ones get the right message: it's not about not getting caught being hacked. On the contrary: it's about doing the right thing once you have been hacked. Let's hope it leads to more transparency and public scrutiny of the CAs we trust explicitly or implicitly though the choice of some of our vendors.

Swa Frantzen -- Section 66

Keywords: diginotar
5 comment(s)


I'm surprised they are bankrupt - but only because others in their situation haven't gone bankrupt. When Verisign gave out 2 certs for Microsoft to someone who walked in off the street in 2001, I figured Verisign would go out of business since all they were selling was trust, and they had a complete failure of their business. I thought - how could anyone every trust them again - they only do one thing and they've proven they can't do that right. Instead, they issused a quick "I'm sorry" and then went about business as usual. So I'm surprised that Diginotar is bankrupt because other CA's have totally screwed up and survived just fine.
So, what gives a good indicator that the parent company, VASCO can be trusted? Given my experience with the corporate world, what's happening at a subsidiary can often be a good indicator of the business practices of the parent. Justify us trusting the parent company on this one.
I'm pretty sure that if you were a car salesman in a similar situation (you can sell cars but those cars cannot be used on public roadways) you'd go bankrupt as well. No one will buy a certificate if the major OSes and browsers all do not recognize them as a trusted source.
Three words: Internet death penalty
This would appear to be an example the worst-case impact that we've avoided in our risk assessments, now realized: Your business will be critically (fatally) damaged due to insufficient security and a resultant breach.

What gets me is that for many years in the last decade, FUD was frowned upon. Now, thanks to polymorphic malware, advanced threats, and highly organized malefactors, FUD is what's being sold (and bought), even from many of the most credible sources in this field.

Diary Archives