Tuesday morning, Chicago-based authentication services provider Vasco Data Security announced its DigiNotar subsidiary, which issues certificates for SSL used to secure financial and other discrete transactions online, detected a security breach that forced it to issue improper certificates. One of those certificates, it admitted, was for Google.com.
It would be a shocking occurrence if it weren't so common. A root certificate authority (CA) is, by definition, the starting point for all trust in the Web transaction system. It self-signs its own certificate as a way of validating its own validity. Thus when DigiNotar's validity isrevoked, as it was yesterday by Mozilla, among others, all the certificates it signs - including the one for itself - lose their authenticity.