The DigiNor Story–So Far

I just read an article on SANS: DigiNotar breach – the story so far. To be clear: This is not a Microsoft analysis nor any official statement from us. What we have to say is in the advisory: Microsoft Security Advisory (2607712) – Fraudulent Digital Certificates Could Allow Spoofing. It just gives an interesting overview of what happens.

What strikes me is the following fact: In the digital world a 99.9% security that a certificate can be trusted seems not to be enough – we need 100%. If we look at the physical world, we are completely different. I have a Swiss passport, which is highly regarded as a trusted document everywhere I traveled so far. It is well-known that it is an interesting target as well to create fake Swiss passports because it is well-trusted. We all know that a certain amount of passports are faked out there but we still trust them without even thinking twice (except if you work at immigration) for banking, health, whatever. I still try to understand, where the difference comes from. Why is this the case?


Comments (3)

  1. Anonymous says:

    No, I do not say that it is accetable. My question is more that we should think about how far we need to have 100% security (which is not achievable anyway) and how we can transfer our experience from the real world.

    In the real world somebody having a fake passport the punishment in our case is signifcant and this is right so. If somebody hacks into a system or exploits vulnerabilities they are not really punished – something which has to change.

    However, we shoudl accept the fact that even a high-trust CA might sometimes make mistakes – as a passport issuing agency. I think it is questionable whether a CA shall immediately completely lose the trust because of such an incident. Again, we should take the analogy


  2. Anon says:

    Are you seriously complaining that what happened is acceptable? It seems you're missing the importance of SSL to the web…

  3. tonyr says:

    @anon think you missed the point.