[arch-dev-public] How to disable the DigiNotar root cert on Arch

[Pierre Schmitz]

On Wed, 07 Sep 2011 14:35:21 +0200, Jan de Groot wrote:
> On Wed, 2011-09-07 at 11:55 +0200, Pierre Schmitz wrote:
> 
>> As a follow up I'd recommend to also remove the root certificates of
>> "Staat der Nederlanden". The problem is that they had used DigiNotar as
>> intermediate CA. There are specific updates for Firefox and Chromium but
>> other browsers are still affected. You can check if these certs are
>> still accepted by your browserb by visiting sites such as
>> https://secure.valkenswaard.nl/. Make sure they still use the DigiNotar
>> intermediate cert. ATM I don't know of any other workaround as remove
>> the roots certs completely.
>>
> 
> What is this advise based on? You're getting it wrong. "Staat der
> Nederlanden CA" is a root CA, they haven't been compromised. Certificate
> chain is as following:
> 
> Staat der Nederlanden CA -> DigiNotar -> fraud cert
> 
> If you remove DigiNotar from ca-certificates, you'll get this:
> 
> Staat der Nederlanden CA -> missing cert -> fraud cert

Doesn't the server also send the intermediate certs if needed? Or am I
mixing things?

> Every sane client application will complain about the missing cert.
> Probably it won't even know about the Staat der Nederlanden CA, as you
> can't resolve to it directly without having the DigiNotar certificate.

I did a brief test with curl and webkit browsers such as rekonq. They
accept the certificates from the site mentioned above unless I disable
"Staat der Nederlanden CA". Afaik Firefox does an explicit check if
there is a diginotar cert within the chain; other browsers and clients
most likely don't. So I still think its the easiest for most people to
disable those certs as well.

But yes, I am not absolutely sure as the information you can found in
the media atm is not that accurate. E.g. heise states that Microsoft
will remove the Nederlands root cert completely.

-- 
Pierre Schmitz, https://users.archlinux.de/~pierre