Probably the number of addresses in the utilized Internet that are intended to send mail is much lower than that 20-30%.

So it could still be a good method.

The thing is that it does not matter at all how secure the organization you buy your certificate from is.
What matters is how secure the lease secure of those hundreds of organizations that sell certificates is.
You can buy your certificate from the most secure one, but someone else can buy or steal it from the least secure organization and it will be trusted just as much.

To revoke the DigiNotar intermediate, a browser that has OCSP or CRL does not need an update. At least if it is formally revoked by Dutch state (which it isn't, AFAIK).

The updates are only required for root certificate revocations, apparently there is no OCSP or CRL for those (something that should be fixed).
But Mozilla is not distrusting the certificates based on revocation, but guided by the "CN=DigiNotar" in their issuer field.
That is why they need to upgrade the code.

In fact it is ugly, hardcoded exceptions for specific mishaps are being added to the software.
Something should be done that enables control of this kind of mishaps without having to update the software.

E.g. at work we have a Mozilla Seamonkey 2.0 deployment that I cannot yet upgrade to 2.3 because of bugs in that version and there are
no updates to 2.0 released anymore. Of course OCSP is enabled, but it would be better if it also worked for root certificates.

They should, but they haven't done that yet.
There is a security bulletin 2607712 that explains what they did for Vista and newer, but for XP and 2003 they should release a new version of rootsupd.exe that will update the list of root certificates.
This is not an update to IE but to a separate Windows component that stores the root certificates.

This was probably mainly said because DigiNotar itself publishes a FAQ that basically says "when the browser says the certificate is not to be trusted you must select the option to trust it anyway because 99.9% of the certifcates are to be trusted".
The Dutch government wants to warn citizens that this is very bad advise from DigiNotar, and that sites should never be used when this warning appears.
In fact there is a campaign from banks to warn users that they should always take attention to certificate warnings, and any official advise to ignore them is to be considered a very bad thing.

Of course DigiNotar does not understand "trust" at all. In their FAQ and press releases they apparently have the opinion that trust in the certificates is something they define themselves, while of course trust is something the user grants to the CA. When the user no longer trusts the CA, the CA is finished no matter how many times it declares that it is to be trusted.

But DigiNotar is not interested in the users or the victims of their actions. They are only interested in their own company and its revenues. This was already clear in the first press release they did, where they dared to include a paragraph that downplayed the effect of all this on their revenue and share value.
Let's see how this works out in practice. My prediction is that it will be worse than they claim.

This is not at all correct.
DigiNotar has its own root certificate and it was removed from the browsers this week, but this is not related to the Dutch government.
The Dutch state has its own trusted root certificate (a bad thing in its own right!) under which there are a couple of subordinate certifcates, under which there is an intermediate certificate issued to DigiNotar, and that certificate is used to sign the server certificates for the governmental sites.
Only that last level was managed by DigiNotar, and the certificate used by them could be revoked and all server certificates would become invalid.
However, that was not done. The warning about security messages is only given because some browser vendors may ship updates that deem everything signed by DigiNotar untrusted, independent of the certificate tree above it.

But still in further statements they continue to claim that the trust in other certificates managed by the same company (under a different root) is not affected by all this.
First, that indicates that they have no clue what trust means, but also it is not at all unlikely that they have to announce next week that a fraudulent certificate was still issued, only their broken auditing system had not been able to trace it.

I also find it quite disgusting how they mainly focus on the damages potentially being done to their own company and the profits it might or might not generate, instead of considering the damages done to others, in this case even to individuals that may pay for this incident with their lives.

I had a Linux desktop system in 1992 (ok, I installed it in december of that year) and it actually was quite impressive what you could already do back then.

It had a working X11 system with many interesting applications.
Even the networking already worked. I took it to work and connected it to the ethernet, and I could use it as an X client and server with the DEC VAX and X terminals we had there. Except that I had color and those X terminals were b/w :-)
Everyone was really impressed...

Remember that Windows 95 did not appear until 3 years later!

This is quite common today. Many social media websites offer no way to contact their support department for people who do not have an account themselves.
When I want to contact linkedin, facebook, twitter, hyves or whatever to ask them to stop sending mail to some address, to remove a customer who has deceased, or whatever, the first thing they ask for is my username and password.
But I don't have and don't want accounts on sites like that. I only want to report events in a role as a system administrator.
No way to do it. They don't publish mail addresses, and the ones you may guess yourself or derive from whois are just black holes or return autoreplies that you have to use the form on their website. Which you can only access after logging in.

Clueless idiots.

Whenever you type your password on the login form, it is available to them in plain text.
(of course it is transmitted encrypted over the internet, but then it is decrypted by their server)
If you are lucky they don't store your password in their database in plaintext, but each time you log in they have the opportunity to lookup your password in their insecure password list before encrypting it again to compare it with their database entry.

What I find disturbing with features like this, is how the service (be it hotmail, linkedin, facebook, whatever) always assumes that when you receive crap from one of their users and want to report it so something is done about it, you also have an account yourself.
I want to be able to report that I receive spam from one of their users WITHOUT having to create an account on their system.
So the "my friend has been hacked" report should not be only in their mail user interface, but also in some publicly accessible webpage or even better in the handling of mail sent to abuse@.

Furthermore, having monitored events of "hacked hotmail accounts" for some time, I believe quite a number of them is not hacked by bruteforcing the password, but by phishing or luring the user into "when you fill in this questionnaire we will send you a free led lamp" etc, where one of the questions in the questionnaire actually asks the user to provide their mail address and password.
Many naive users give all info you ask them for when promised a free gift.

I agree. I have 15m (50ft) of cable running from the livingroom to the bedroom and it carries 1080i component video with hardly any visible degradation.
(the only thing that can be noticed when you know where to look for it is a tiny bit of reflection that is probably caused by sloppy termination in the TV or the settopbox)
Running HDMI cable is difficult because it runs through several small holes where HDMI connectors won't fit through, and I know of no viable way to manually fit a HDMI connector to an end of a cable. (which is easy with component video RCA connectors)

It is very simple to differentiate between problems in your HDMI cable and problems in your antenna or its cabling, because the latter only affect picture content while the former also affects locally generated video like menus, EPG etc.

The question is if you should be allowed to run an executable that you have downloaded and stored yourself.
It is easy to setup Windows in such a way that this is not possible, especially in a company environment (Active Directory with Group Policy).
Then users without special privileges cannot run any software that hasn't been installed by the system administrators. This includes any software found in (links from) mail.