> The mistake has had no consequences on the overall network security, either for the French administration or the general public.
Wrong. It had huge consequences. Users within the French administration lost their ability to securely communicate with Google and who knows what other sites. Additionally, the overall network security was hit by another blow against the SSL trust infrastructure.
This is a seriously bad issue and downplaying hopefully won't do them any good. "We only spied in a very sneaky way on our employees, undermining the trust given us by all browser and OS vendors. Don't worry. Nothing to see here. Too bad we got caught - if we hadn't, we'd just continue".
By having their root accepted into the browsers stores, they took on a huge responsibility which they have now betrayed and IMHO it doesn't matter whether that was the root or one of their intermediates: if they can't control them, they never should have issued these intermediate certificates.
Browser vendors need to set an example and do a Diginotar here: remove that root from the stores. There are already too many supposedly trusted and hopefully competent ones in there, no need for the devious or incompetent ones.
The flowchart for removing a CA from the browser CA roots has a decision node that asks "does this CA sign important or widely-used certificates, such that removing that CA would cause chaos and alarm from large numbers of normal users?"
Unfortunately, if the answer to that question is "yes", and the offense triggering removal is "improperly delegated a CA certificate for internal network use", precedent dictates that the CA will not be removed. See: Trustwave.
I don't like it any more than you do, but it's helpful to know what reality looks like.
If the browser vendors could remove a CA from the roots without causing said chaos and alarm, do you think they would be willing to remove CAs that issued delegated CA certificates that were used to MITM major websites?
>Browser vendors need to set an example and do a Diginotar here: remove that root from the stores.
I just found Diginotar certificates in FF 25.0.1. So no "Diginotar" has been done in FF. At least not what I'd call a "Diginotar": Remove all certs of that organization.
My Firefox 26 on OSX doesn't list Diginotar any more. Neither does the OSX Keychain and by that extension Safari and Chrome. They might have been slow to remove it, but it's gone now. (Edit: here's the link to the firefox bug where they've removed the root: https://bugzilla.mozilla.org/show_bug.cgi?id=682927) seems to have been removed all the way to Firefox 6 even.
Have you manually added Diginotar back? Has some malware added Diginotar back?
Wrong. It had huge consequences. Users within the French administration lost their ability to securely communicate with Google and who knows what other sites. Additionally, the overall network security was hit by another blow against the SSL trust infrastructure.
This is a seriously bad issue and downplaying hopefully won't do them any good. "We only spied in a very sneaky way on our employees, undermining the trust given us by all browser and OS vendors. Don't worry. Nothing to see here. Too bad we got caught - if we hadn't, we'd just continue".
By having their root accepted into the browsers stores, they took on a huge responsibility which they have now betrayed and IMHO it doesn't matter whether that was the root or one of their intermediates: if they can't control them, they never should have issued these intermediate certificates.
Browser vendors need to set an example and do a Diginotar here: remove that root from the stores. There are already too many supposedly trusted and hopefully competent ones in there, no need for the devious or incompetent ones.