Eddy Nigg, the chief technology officer of StartCom, one of the two companies Comodohacker singled out today, wasn't buying it.

"I believe the hacker(s) are not directly related to Iran in any way, but simply criminals getting paid for every targeted certificate," said Nigg in an email reply to questions. "But the attacker or attackers is most likely not Iranian nor a student nor 21 years old. Evidence we have highly suggests that."

To conduct "man-in-the-middle" attacks using fraudulent certificates, an attacker must plant malware on individual computers, compromise the domain name system (DNS) servers at one or more Internet service providers (ISP), have the assistance of ISPs or the cooperation of a government that controls the Internet within its borders, as does Iran.

Reaction to Comodohacker's new claims was swift from GlobalSign and StartCom.

"The GlobalSign CA root was created offline, and always has been offline," said GlobalSign in a statement. "Any claim of the Comodohacker to holding a private key does not refer to the GlobalSign offline root CA."