"On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com," it explains. "Once it detected the intrusion, DigiNotar has acted in accordance with all relevant rules and procedures. At that time, an external security audit concluded that all fraudulently issued certificates were revoked."
But, "recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate."
Saying that no other types of certificates were compromised, the company says that it will temporarily suspending the sale of its SSL and EVSSL certificate offerings, and that it will organize new third-party audits.
Well, let's just hope the won't be using the same auditing firm. I also wonder if the one rogue certificate was all that these auditors missed. F-Secure says that it wasn't - they also missed the evidence of a number of defacements of DigiNotar's website that were executed over the years.
Whether this will appease Mozilla, Google and Microsoft, who have already moved to remove DigiNotar as a trusted root CA from their products, only time will tell.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.