Pretty much every news report I've seen so far that mentions any kind of Iranian connection is claiming that it's Iranian state-sponsored hacking. If what's happened with the certs so far (someone grabbed a few sample certs for high-profile domains, and there was a report of one of them briefly appearing on a test server in Iran) is an indication of their competence then we really have nothing to fear from them. Let's look at what would have happened if *I'd* figured out a way to compromise a CA. First, I'd get a few test certs issued for high-profile domains, Microsoft, Google, Yahoo, and perhaps a CA cert just for giggles. Then I'd set up a server somewhere and install one of the sample certs to see whether any web browser noticed a problem. Gosh, this sounds awfully like what actually happened. New Zealand must have a state-sponsored cyberwar program! The only difference in my case is that after a day or so of inviting security people to have a giggle at the test server with my "genuine" cert, I'd notify the CA about the problem. If I was an Iranian script kiddie I probably wouldn't have much motivation to do that. So what we have here is either (a) the world's most incompetent state- sponsored cyberwar program, who get the keys to the kingdom and then have no idea what to do with them, or (b) a bunch of script kiddies having fun. What do you reckon the odds are? (And in all this I haven't seen any mention of the Al Kai-yee-da angle. What happened, is everyone asleep?). Peter.