DigiNotar is the Dutch certificate authority that issued more than 500 bogus digital certificates in the name of major web properties, as well as intelligence services, such as the CIA, MI6, and Mossad.
The Mozilla security advisory is a follow-up to one issued at the end of August, in which Mozilla removed the DigiNotar root certificate. Sites using the certificates “will need to seek another certificate vendor”, Mozilla said.
In the most recent advisory, Mozilla expanded the ban to DigiNotar certificate intermediaries, including the Dutch government. “Removing the root as in our previous fix meant the certificates could be considered valid if cross-signed by another Certificate Authority. Importantly this list of distrusted certificates includes the 'PKIOverheid' (PKIGovernment) intermediates under DigiNotar's control that did not chain to DigiNotar's root and were not previously blocked”, explained Mozilla.
Commenting on the Mozilla announcement, Paul Ducklin with Sophos wrote: “This sort of step – vigorously disowning everything tainted by DigiNotar – is aggressive but, in my opinion, necessary. Getting into a certification relationship with company X is like buying shares in company X. If the price goes down, all shareholders lose out simultaneously. If the company goes down, you go down with it.”