[arch-dev-public] How to disable the DigiNotar root cert on Arch
Pierre Schmitz
pierre at archlinux.de
Tue Aug 30 16:24:33 EDT 2011
Hi all,
there was another incident with a CA. See
http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/
for more details. If you like to distrust this issuer you'll find a
howto for Firefox at
http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert
For other apps that use our ca-certificates package (by Debian) You can
easily disable the root cert by issuing the following commands as root:
sed -E 's#^(mozilla/DigiNotar_Root_CA.crt)$#!\1#g' -i
/etc/ca-certificates.conf
update-ca-certificates
This information is just for those who are curious. There is most
likely no need to panic for those people; especially if you don't live
in Iran. And if you do its probably too late as the issuer was
compromised two month ago. And I thought the Comodo incident was already
pure night mare...
The whole CA structure we base our SSL security on is a mess imho.
Blindly shipping a bunch of certificates to our users does not seem to
be the best idea any more. Unfortunately there is no real alternative
atm.
Greetings,
Pierre
--
Pierre Schmitz, https://users.archlinux.de/~pierre
More information about the arch-dev-public
mailing list