Earlier this week DigiNotar said another audit would be performed and the results of this audit would be made public.
One of the big questions is whether the government CA branch - called DigiNotar PKIoverheid - has also been compromised.
In seeming preparation of these results, the Dutch government has sent out an email to users who've been issued a certificate via the DigiNotar PKIoverheid CA. All these companies/services are tied to the government or public services. Pending the results of this audit the Dutch government is asking PKIoverheid certificate owners to do the following:
- List the PKIoverheid certificates in the organisation.
- List the processes for which these certificates are being used.
- List the consequences in case the PKIoverheid certificates can no longer be trusted.
I think it would be wise at this point for the affected browser makers to start preparing an update which will also blacklist DigiNotar's PKIoverheid CA. Pending the outcome of the audit, of course.
A lot of Dutch government sites and services are going to be affected by the revocation. Clean up is going to be painful.
The Dutch government has used DigiNotar as an intermediary CA in quite a lot of cases. The Dutch government actually has a root CA of their own. It could be leveraged to quickly produce new certificates for affected services.
I hope it's truly clear now that the Dutch government needs to distance itself from DigiNotar.