Untrusted Certificate Store to be updated with Malaysian Sub CA

Posted by bink on November 4 2011, 2:26 PM.

From the MS security response blog:

This post is to notify customers that Microsoft will revoke trust in an Intermediate Certificate Authority, DigiCert Sdn. Bhd. (Digicert Malaysia) in an update to be released through Windows Update.

DigiCert Sdn. Bhd is a Malaysian subordinate CA under Entrust and Verizon (GTE CyberTrust). There is no relationship between DigiCert Malaysia and DigiCert Inc., which is a member of the Windows Root Certificate Program.

Microsoft was notified by Entrust, Inc, a certificate authority in the Microsoft Root program, that a Malaysian subordinate CA, DigiCert Sdn. Bhd issued 22 certificates with weak 512 bit keys. Additionally, this subordinate CA has issued certificates without the appropriate usage extensions or revocation information. This is a violation of the Microsoft Root Program requirements (http://technet.microsoft.com/en-us/library/cc751157.aspx).

There is no indication that any certificates were issued fraudulently, however, these weak keys have allowed some of the certificates to be compromised. These compromised certificates could allow an attacker to impersonate the legitimate owner and make a user believe they are trusting a website or signed software that was created for malicious use.

The subordinate CA has clearly demonstrated poor CA security practices and Microsoft intends to revoke trust in the intermediate certificates.


Untrusted Certificate Store to be updated - MSRC - Site Home - TechNet Blogs