On Wed, 07 Sep 2011 14:35:21 +0200, Jan de Groot wrote:
On Wed, 2011-09-07 at 11:55 +0200, Pierre Schmitz wrote:
As a follow up I'd recommend to also remove the root certificates of "Staat der Nederlanden". The problem is that they had used DigiNotar as intermediate CA. There are specific updates for Firefox and Chromium but other browsers are still affected. You can check if these certs are still accepted by your browserb by visiting sites such as https://secure.valkenswaard.nl/. Make sure they still use the DigiNotar intermediate cert. ATM I don't know of any other workaround as remove the roots certs completely.
What is this advise based on? You're getting it wrong. "Staat der Nederlanden CA" is a root CA, they haven't been compromised. Certificate chain is as following:
Staat der Nederlanden CA -> DigiNotar -> fraud cert
If you remove DigiNotar from ca-certificates, you'll get this:
Staat der Nederlanden CA -> missing cert -> fraud cert
Doesn't the server also send the intermediate certs if needed? Or am I mixing things?
Every sane client application will complain about the missing cert. Probably it won't even know about the Staat der Nederlanden CA, as you can't resolve to it directly without having the DigiNotar certificate.
I did a brief test with curl and webkit browsers such as rekonq. They accept the certificates from the site mentioned above unless I disable "Staat der Nederlanden CA". Afaik Firefox does an explicit check if there is a diginotar cert within the chain; other browsers and clients most likely don't. So I still think its the easiest for most people to disable those certs as well. But yes, I am not absolutely sure as the information you can found in the media atm is not that accurate. E.g. heise states that Microsoft will remove the Nederlands root cert completely. -- Pierre Schmitz, https://users.archlinux.de/~pierre