your ca is now untrusted, and hacker calling cards

In DR/BCP, we plan for natural events beyond our control all the time. But what about cyber events that are beyond our control? For instance, if a certificate authority makes a high-enough-profile mistake in issuing a fraudulent certificate, which then causes browsers to automatically update their software (and your users) to no longer trust any certs issued by that CA? Oh, and what if you use that CA for your shit? A situation beyond your control just gut-punched you.

For more information on the DigiNotar incident(s), F-Secure has a great post about it. Pretty lame to have your pants yanked down, then find out they’ve been yanked down several times in the past, and even though you told people you pulled them back up, you actually didn’t, and still had them down. GG for hacker calling cards. 🙂