[arch-dev-public] How to disable the DigiNotar root cert on Arch

Pierre Schmitz pierre at archlinux.de
Tue Aug 30 16:24:33 EDT 2011


Hi all,

there was another incident with a CA. See
http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/
for more details. If you like to distrust this issuer you'll find a
howto for Firefox at
http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert

For other apps that use our ca-certificates package (by Debian) You can
easily disable the root cert by issuing the following commands as root:

sed -E 's#^(mozilla/DigiNotar_Root_CA.crt)$#!\1#g' -i
/etc/ca-certificates.conf
update-ca-certificates

This information is just for those who are curious. There is most
likely no need to panic for those people; especially if you don't live
in Iran. And if you do its probably too late as the issuer was
compromised two month ago. And I thought the Comodo incident was already
pure night mare...

The whole CA structure we base our SSL security on is a mess imho.
Blindly shipping a bunch of certificates to our users does not seem to
be the best idea any more. Unfortunately there is no real alternative
atm.

Greetings,

Pierre

-- 
Pierre Schmitz, https://users.archlinux.de/~pierre


More information about the arch-dev-public mailing list