We recently blog about how Mozilla revoking trust on DigiCert Sdn Bhd certification authority. Well here comes another news from our search that Microsoft will take the same action, revoking trust on DigiCert Sdn Bhd certificates via Windows Update. Since DigiCert Sdn Bhd issues secure certificates to several Malaysia’s government websites, what will this actions by both Mozilla and Microsoft affects the users?
“There is no indication that any certificates were issued fraudulently, however, these weak keys have allowed some of the certificates to be compromised. These compromised certificates could allow an attacker to impersonate the legitimate owner and make a user believe they are trusting a website or signed software that was created for malicious use. The subordinate CA has clearly demonstrated poor CA security practices and Microsoft intends to revoke trust in the intermediate certificates”. – Says Jerry Bryant, Group Manager, Response Communications, Trustworthy Computing
Microsoft will revoke trust in an Intermediate Certificate Authority, DigiCert Sdn Bhd through an update to be released through Windows Update. DigiCert Sdn Bhd is a Malaysian subordinate CA under Entrust and Verizon (GTE CyberTrust). There is no relationship between DigiCert Malaysia and DigiCert Inc., which is a member of the Windows Root Certificate Program.
Microsoft was notified by Entrust Inc., a certificate authority in the Microsoft Root program, that a Malaysian subordinate CA, DigiCert Sdn Bhd issued 22 certificates with weak 512 bit keys. Additionally, this subordinate CA has issued certificates without the appropriate usage extensions or revocation information. This is a violation of the Microsoft Root Program requirements.