Archive for September, 2011

9/23/11: Update on Further DigiNotar Issues

Posted on September 23, 2011 by John B Harris | Comments (1)

The Dutch government today announced that DigiNotar’s subordinate Certificate Authorities (subCAs) under the Staat der Nederlanden root certificates will be revoked next Wednesday, September 28th.  This follows on the Dutch government’s removal of trust from DigiNotar, DigiNotar’s removal from the Netherlands Trust List, and the company’s announcement of bankruptcy proceedings.

Continue reading…

DigiNotar Removed from the Adobe Approved Trust List

Posted on September 14, 2011 by John B Harris | Comments (1)

As discussed earlier on this blog, the Adobe Approved Trust List (AATL) has been updated to remove the DigiNotar Qualified CA root certificate. Users of Adobe Reader and Acrobat X (version 10.x) will be automatically updated to this list.

To be sure your copy of Adobe Reader or Acrobat will get the update, you can force a download of the AATL.  Go to Preferences->Trust Manager->Automatic Updates and click the Update Now button.  Also, be sure the “Load trusted root certificates from an Adobe server” option is checked.

A future product update of Adobe Reader and Acrobat version 9.x will enable dynamic updates of the AATL. In the meantime, users of Adobe Reader and Acrobat 9 can manually remove the DigiNotar Qualified CA using instructions provided in the blog post.

Also note that the Dutch government has published a document regarding the impact of the removal on signed PDFs.  That document (in Dutch and English) can be found at the links below:

Dutch version:

http://www.logius.nl/actueel/item/titel/verwijdering-diginotar-uit-adobe-reader/

English version:

http://www.logius.nl/english/news-message/titel/removal-of-diginotar-from-adobe-reader/

 

 

This posting is provided “AS IS” with no warranties and confers no rights.

Information Regarding Adobe Reader & Acrobat and the Removal of DigiNotar from the Adobe Approved Trust List

Posted on September 9, 2011 by John B Harris | Comments (13)

In the past two weeks, it has come to light that Dutch certificate authority DigiNotar suffered a serious security breach in which a hacker generated more than 500 rogue SSL certificates and had access to DigiNotar’s services, including many that were relied upon specifically by the Dutch government for key citizen and commercial services.  The full extent of the attack is still not clear.

Last week, many of the major browser vendors removed DigiNotar certificates from their list of trusted certificates, and in turn, the Dutch government renounced trust in DigiNotar and took over certificate operations at the company.

What Does This Mean for Adobe Customers?

The DigiNotar Qualified CA root certificate is part of the Adobe Approved Trust List (AATL) program, which we have mentioned in this space on multiple occasions.  The AATL is designed to make it easier for authors to create digitally signed PDF files that are trusted automatically by Adobe Reader and Acrobat versions 9 and above, and includes many certificates from around the world.

While Adobe is not aware of any evidence at this time of rogue certificates being issued directly from the DigiNotar Qualified CA root in particular, an official report by Dutch security consultancy Fox-IT stated that there was evidence of the hacker having access to this CA, thus possibly compromising its security.  (The rogue certificates known today are SSL certificates originating from the DigiNotar Public CA.)

Adobe takes the security and trust of our users very seriously. Based on the nature of the breach, Adobe is now taking the action to remove the DigiNotar Qualified CA from the Adobe Approved Trust List. This update will be published next Tuesday, September 13, 2011 for Adobe Reader and Acrobat X. We have delayed the removal of this certificate until next Tuesday at the explicit request of the Dutch government, while they explore the implications of this action and prepare their systems for the change.

Continue reading…