28 Mar
2011
28 Mar
'11
9:25 p.m.
The original source of the info about the hack has now posted the private key corresponding to one of the bogus certs at http://pastebin.com/X8znzPWH. The public-key components are identical, haven't verified that the private key matches yet, but I'm going to guess it will. So a global CA wasn't 0wned by a nation-state cyberwar agency but by a random script kiddie having some fun. Oh the embarassment :-). Peter.