Attention: open in a new window. PrintE-mail

Trust on the Web

The DigiNotar breach has dealt a serious blow to Internet security and trust.
Open letter to our customers and partners.


Pascal Colin
Chief Executive Officer of Keynectis and OpenTrust

Dear Customers and Partners,
In the wake of the recent affair concerning the DigiNotar certificate authority, which has significantly impacted Internet trust, I would like to review the facts and provide some perspective.

The 21st-century Internet must be secure, or cannot exist.Internet can only work with trust. Without trust, information can no longer be exchanged, electronic commerce will cease, webmail will no longer be protected, website authentication will no longer be secure, and so on. Today, Web security is still being shaped and maturing; an event of this kind can deliver a fatal blow to the Internet.As the Chief Executive Officer of Europe’s leading certificate authority, specializing in securing digital identities and transactions, I feel that it is my duty to clarify certain facts.


Review of the facts:a certificate authority has been permanently banned by Web browsers

DigiNotar, a certificate authority based in the Netherlands, was recently the victim of a major attack that enabled hackers to create fraudulent SSL digital certificates for more than 500 websites, including google.com, microsoft.com, webmail sites and US security agencies.SSL certificates are used to guarantee a website’s authenticity and to encrypt data exchanged between that website and the users’ Internet browsers.A fraudulent certificate enables one website to usurp the identity of another, and pose as the authentic website to users. Users who believe they are visiting the authentic website are actually on the fraudulent site, which can now intercept their personal and confidential information and communications.

Web browser vendors have therefore decided to remove DigiNotar permanently from the lists of trusted certificate authorities used by their products, severely compromising the company’s future.

What DigiNotar was found guilty of is not so much being hacked, since no one is immune from an attack, including us, but:
  • its inability to detect the attack,
  • its failure to report the attack once discovered,
  • its lack of transparency with respect to the Internet security community,
  • its failure to answer questions posed, in particular, by browser vendors,
  • its slowness to react,
  • the insufficient human and technical resources and procedures implemented to prevent such attacks and, in the event that an attack occurs despite precautions taken, the inefficiency of its resistance and response.

What is a Certificate Autority?

A certificate authority (CA) makes a commitment to Web browser vendors such as Microsoft, Apple, Opera, Mozilla, Google and RIM to respect extremely strict procedures and implement the technical and human resources needed to ensure that the SSL certificates they issue for websites have been securely issued to authenticated individuals or organizations. (The same approach used with Web browsers is applied in other areas, such as digital signatures of documents, with vendors such as Microsoft or Adobe).

Details :

In exchange for these authentication services, vendors build the CA’s “root certificate” into their programs.Using the root certificate, the CA can then issue new digital certificates that will be trusted by the various applications.For example, if Keynectis as a certificate authority issues an SSL certificate to www.mywebsite.com, users visiting www.mywebsite.com will see a padlock next to the website address in their browser’s address bar. By clicking on the padlock, users can view the website’s digital identity.   The Web browser trusts the certificate authority, Keynectis, which trusts the website https://www.mywebsite.com.The Web browser therefore trusts the website, accepts the www.mywebsite.com address using https and displays the padlock.


To ensure that the procedures and the resources we implement make Keynectis a trusted organization, we regularly undergo audits such as through WebTrusthttp://www.webtrust.org/ and the European Telecommunications Standards Institute (ETSI) http://www.etsi.org/.We also certify our software (EAL4+ under the Common Criteria, for example http://www.commoncriteriaportal.org/products/).Lastly, we participate in groups such as the Certification Authorities and Browsers Forum (www.cabforum.org) to maintain a dialogue with the community.

The procedures we implement to validate the identity of individuals and organizations may seem burdensome to our customers and partners, and even consumer-unfriendly. As a certificate authority whose role is to guarantee trust, we have nevertheless chosen not to relax these sometimes painstaking procedures and rules we have established. 


What now?

The use of trust-based applications such as:

  • Digital signatures, especially for documents,
  • Encryption of information exchanges,
  • Digital authentication of individuals, organizations, machines, websites, etc.
  • Timestamping using a certified timestamping server,
  • Legally admissible, secure archives,

will become increasingly widespread. People and organizations will become more familiar with these practices and applications.Stricter rules and procedures will be applied.For example, SSL Extended Validation certificates will gradually replace other SSL certificates, which offer fewer guarantees, and SSL Domain Validated certificates provided through automated procedures will be discontinued. Audits of certificate authority will be reinforced and become increasingly stringent. It is also likely that government authorities will want to get involved and possibly pass regulations on the issuing of SSL certificates for domain names, for example.National data privacy organizations may require that all transmissions of personal information using Web forms be encrypted using an SSL certificate.

We are in favor of and are promoting these changes.


A newsletter to keep you informed

We are aware of the important role we play as Europe’s leading certificate authority. For this reason, we have decided to publish a newsletter to keep you informed of any changes relating to securing digital identities and Internet trust.The newsletter will be monthly and cater to all audiences. In it, for example, readers will learn how to better recognize when they can trust a website.
To sign up for the newsletter, send an email to This e-mail address is being protected from spambots. You need JavaScript enabled to view it


Acknowledgements

On behalf of our employees and shareholders, we would like to thank you for your trust and ensure you that we are implementing the resources needed to fulfill our role as a responsible company and be worthy of this trust.

Internet is a major component of the vast digital adventure that we are living today and that is just beginning, and we are proud to be guiding you in this adventure by helping to make it secure.

Pascal Colin
Chief Executive Officer of Keynectis and OpenTrust