[arch-dev-public] How to disable the DigiNotar root cert on Arch

Jan de Groot jan at jgc.homeip.net
Wed Sep 7 08:35:21 EDT 2011

On Wed, 2011-09-07 at 11:55 +0200, Pierre Schmitz wrote:

> As a follow up I'd recommend to also remove the root certificates of
> "Staat der Nederlanden". The problem is that they had used DigiNotar as
> intermediate CA. There are specific updates for Firefox and Chromium but
> other browsers are still affected. You can check if these certs are
> still accepted by your browserb by visiting sites such as
> https://secure.valkenswaard.nl/. Make sure they still use the DigiNotar
> intermediate cert. ATM I don't know of any other workaround as remove
> the roots certs completely.

What is this advise based on? You're getting it wrong. "Staat der
Nederlanden CA" is a root CA, they haven't been compromised. Certificate
chain is as following:

Staat der Nederlanden CA -> DigiNotar -> fraud cert

If you remove DigiNotar from ca-certificates, you'll get this:

Staat der Nederlanden CA -> missing cert -> fraud cert

Every sane client application will complain about the missing cert.
Probably it won't even know about the Staat der Nederlanden CA, as you
can't resolve to it directly without having the DigiNotar certificate.

The thing where Mozilla is talking about is their special exception that
has been removed. In Firefox 6.0.1, if you had a certificate signed by
DigiNotar that resolved to the Staat der Nederlanden CA, it would accept
this certificate as valid. This exception has been removed in 6.0.2.

More information about the arch-dev-public mailing list