On Wed, 2011-09-07 at 11:55 +0200, Pierre Schmitz wrote:
As a follow up I'd recommend to also remove the root certificates of "Staat der Nederlanden". The problem is that they had used DigiNotar as intermediate CA. There are specific updates for Firefox and Chromium but other browsers are still affected. You can check if these certs are still accepted by your browserb by visiting sites such as https://secure.valkenswaard.nl/. Make sure they still use the DigiNotar intermediate cert. ATM I don't know of any other workaround as remove the roots certs completely.
What is this advise based on? You're getting it wrong. "Staat der Nederlanden CA" is a root CA, they haven't been compromised. Certificate chain is as following: Staat der Nederlanden CA -> DigiNotar -> fraud cert If you remove DigiNotar from ca-certificates, you'll get this: Staat der Nederlanden CA -> missing cert -> fraud cert Every sane client application will complain about the missing cert. Probably it won't even know about the Staat der Nederlanden CA, as you can't resolve to it directly without having the DigiNotar certificate. The thing where Mozilla is talking about is their special exception that has been removed. In Firefox 6.0.1, if you had a certificate signed by DigiNotar that resolved to the Staat der Nederlanden CA, it would accept this certificate as valid. This exception has been removed in 6.0.2.