One point I’ve not effectively made that I should before I stop adding nothing to the discussions about CAs and DigiNotar: scope.
It’s one thing for this to happen to DigiNotar over in the Netherlands. But think about the impact of this if you live in the Netherlands.
Or what if this had been Network Solutions or Verisign or Thawte? And suddenly browser vendors shunned their roots or CNet and other journalists gave your userbase instructions on shunning root certs. Think of the impact to your users if you run websites, to your own users who browse other websites, and your own desire to buy something off Amazon whose cert may now not be trusted for a few days.
I know tons of blogs posts and articles explaining how to block trust (or untrust) DigiNotar roots. But that’s a pretty damaging, somewhat “scorched earth,” approach to addressing the problem.
Besides which, other than an incident currently happening, what reason should Network Solutions be given more trust than DigiNotar? Of the 600 CAs, how do you stratify which are better than others?