Anomaly in DigiNotar Cert Revocations In June/July 2010

Inspired by Swa Frantzen’s DigiNotar breach – the story so far post at the ISC Diary, I looked at the CRL for DigiNotar Public 2025 Root CA (.crl) and found a spike in the number of certificate revocations during June/July 2010: 3282 out of 4880 revocations (67%) between December 2007 (oldest in the CRL) and August 2011 (most recent) occurred in June+July 2010. See the list counting those revocations.

Is there a business-as-usual explanation? I know that as per January 1st 2011, new PKIoverheid certs MUST be issued under the new SHA-256 based root, “PKIoverheid G2”. The CRL of the Dutch DoD smartcard “Defensiepas” (.crl) shows a big spike in September 2010: 32176 out of 71835 revocations (45%) between April 2009 and September 2011 occurred in September 2010. For that spike I settle with the migrate-to-G2 explanation: after all, the trust path for Defensiepas-certificates involves PKIoverheid. But the trust path for DigiNotar Public 2025 certificates doesn’t. It is orthogonal to PKIoverheid*. Perhaps some DigiNotar customer(s) went broke and dropped certs, or decided to migrate existing Public 2025 certs to PKIoverheid G2 certs? I have no idea. I contacted DigiNotar and am awaiting response.

If you can confirm 3000+ certs were revoked for business-as-usual reasons: please comment to this blog, or contact me via e-mail at koot=> (“@” in stead of “=>”) or via Twitter at @mrkoot.

(*) Yes, the compromise of DigiNotar Public 2025 Root CA resulted in Dutch govt no longer trusting DigiNotar PKIoverheid G2 CA, but that is unrelated to this narrative AFAIK.

Leave a Reply

Your email address will not be published. Required fields are marked *