[arch-dev-public] How to disable the DigiNotar root cert on Arch

Jan de Groot jan at jgc.homeip.net
Wed Aug 31 06:48:16 EDT 2011

On Tue, 2011-08-30 at 22:24 +0200, Pierre Schmitz wrote:
> Hi all,
> there was another incident with a CA. See
> http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/
> for more details. If you like to distrust this issuer you'll find a
> howto for Firefox at
> http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert
> For other apps that use our ca-certificates package (by Debian) You can
> easily disable the root cert by issuing the following commands as root:
> sed -E 's#^(mozilla/DigiNotar_Root_CA.crt)$#!\1#g' -i
> /etc/ca-certificates.conf
> update-ca-certificates
> This information is just for those who are curious. There is most
> likely no need to panic for those people; especially if you don't live
> in Iran. And if you do its probably too late as the issuer was
> compromised two month ago. And I thought the Comodo incident was already
> pure night mare...
> The whole CA structure we base our SSL security on is a mess imho.
> Blindly shipping a bunch of certificates to our users does not seem to
> be the best idea any more. Unfortunately there is no real alternative
> atm.

The whole SSL system is based on trust. We have to trust the CA roots,
and those CA roots have to trust their clients. That way, we trust the
clients they trust.
So far, not much is wrong with that system, but when it turns out the CA
root can't be trusted, that CA root should get kicked out. You can't
tell the difference between a valid certificate issued by the CA root,
or an invalid certificate issued by a hacker using his key.

I already removed DigiNotar from nss. Ionut updated Firefox to 6.0.1,
which distrusts all certificates that are issued by DigiNotar, with the
exception of those that originate from the PKIOverheid CA.

We should remove DigiNotar from our ca-certificates package. A CA that
doesn't care about security, doesn't inform us about hacks and doesn't
even know what systems were affected should not be trusted.

Looking at debian, they already blacklisted DigiNotar:
We should do the same.

More information about the arch-dev-public mailing list