My understanding was DigiNotar was pretty strongly linked to an Iranian government affiliated hacker. Indeed, the breach was caught because someone man in the middled gmail in Iran and Chrome's certificate fingerprinting caught it.

Although the NSA certainly has reason to spy on Iran, why risk discovery this way? They can legally compel Google to give them the email of foreigners in a foreign country.

So maybe NSA had DigiNotar's key, but the hack that shut it down was done by someone else.

Or perhaps the Iran link was a misdirection. They were worried that people would notice the MITMed certs, so they MITMed a lot of Iranian customers to make it look like the attack came from there.

> They can legally compel Google to give them the email of foreigners in a foreign country.

They can, but they may wish to be more subtle than that. For example, if they were engaged in economic espionage, they might not want that story to break, and would be worried that someone at Google may leak the story. If they had to ask Google, there would be more people who would know about what's going on.

Plant hackers in Iran (or just buy Iranian blackhats). Hack someone. If you're caught, blame the Iranians. Two birds, one stone.

Here's some pretty detailed info in English: http://threatpost.com/final-report-diginotar-hack-shows-tota...

I still don't have a DigiD (which is a real pain in many ways) simply because I don't think they have the technical expertise to create a system with information like that that I would trust. It's just too juicy a target.