I just read an article on SANS: DigiNotar breach – the story so far. To be clear: This is not a Microsoft analysis nor any official statement from us. What we have to say is in the advisory: Microsoft Security Advisory (2607712) – Fraudulent Digital Certificates Could Allow Spoofing. It just gives an interesting overview of what happens.
What strikes me is the following fact: In the digital world a 99.9% security that a certificate can be trusted seems not to be enough – we need 100%. If we look at the physical world, we are completely different. I have a Swiss passport, which is highly regarded as a trusted document everywhere I traveled so far. It is well-known that it is an interesting target as well to create fake Swiss passports because it is well-trusted. We all know that a certain amount of passports are faked out there but we still trust them without even thinking twice (except if you work at immigration) for banking, health, whatever. I still try to understand, where the difference comes from. Why is this the case?