2nd CLARIFICATION STATEMENT BY DIGICERT SDN BERHAD
Date: 7th November, 2011
We refer to the reports that have been circulating in several online portals with regard to the allegations that Digicert Sdn Bhd has been issuing digital certificates fraudulently. We view the allegations as very serious and we vehemently deny any fraudulent act on our part. The certificates were issued following standard processes which were annually audited.
Nevertheless, we acknowledge that a total of twenty-two (22) 512-bit key certificates had earlier been issued to various organisations. The SSL 512-bit key certificates issued under Digisign Server ID - (Enrich) have mismatched capabilities from the prescribed standards.
Pursuant thereto, we have immediately identified the necessary actions to replace all the twenty-two (22) 512-bit key certificates that we have earlier issued. The actions that have been implemented and put in place were:
- Revoked the 22 512-bits-certificates and advised the Internet browsers to blacklist the certificates;
- Formed a special task force and a dedicated call centre to reply queries from our customers. The number for the Call Centre is: 03-8992 8880;
- Sent advisories to the impacted customers to replace their current Secure Socket Layer (SSL) certificates. The advisories include steps to replace the customers’ certificates;
- Communicated with the customers directly on the urgent needs to replace the certificates. We have also put resources on standby to assist the customers on this matter. The replacement of certificates should be on or before the 8 November 2011 and as such we are ready to deploy our resources at customers’ site to assist them in generating the keys.
- Expedited the process of replacing the certificates by working closely with Digicert’s partner, Entrust Inc.
The subsequent action plan has also been identified:
- Revised our internal policy with regards to strict processes on issuance of certificates with stronger key (2048-bit) for all our SSL customers.
- Undertake to employ Webtrust program so that in future we will not be dependant on foreign root CA.
We would like to give assurance that based on our internal investigation, there is no indication whatsoever that any of the other certification authority (CA) issued by us have been compromised. With regards to the 512 bit key certificates issued under Digisign Server ID (Enrich), we would like to assure that all the issues that have arisen will be resolved WITHIN THESE FEW DAYS upon the implementation of all the above mentioned actions and by working closely with Entrust..
We apologise for the inconvenience caused and appreciate your understanding and cooperation in the matter.
If further clarification on the matter is required, please do not hesitate to contact the following personnel.
Ami Azrul bin Abdullah
Hj. Amir Suhaimi Hassan
Mohd Rosdeen Hassan
Chief Executive Officer
Digicert Sdn Bhd