[arch-dev-public] How to disable the DigiNotar root cert on Arch

Pierre Schmitz pierre at archlinux.de
Wed Sep 7 10:07:50 EDT 2011

On Wed, 07 Sep 2011 14:35:21 +0200, Jan de Groot wrote:
> On Wed, 2011-09-07 at 11:55 +0200, Pierre Schmitz wrote:
>> As a follow up I'd recommend to also remove the root certificates of
>> "Staat der Nederlanden". The problem is that they had used DigiNotar as
>> intermediate CA. There are specific updates for Firefox and Chromium but
>> other browsers are still affected. You can check if these certs are
>> still accepted by your browserb by visiting sites such as
>> https://secure.valkenswaard.nl/. Make sure they still use the DigiNotar
>> intermediate cert. ATM I don't know of any other workaround as remove
>> the roots certs completely.
> What is this advise based on? You're getting it wrong. "Staat der
> Nederlanden CA" is a root CA, they haven't been compromised. Certificate
> chain is as following:
> Staat der Nederlanden CA -> DigiNotar -> fraud cert
> If you remove DigiNotar from ca-certificates, you'll get this:
> Staat der Nederlanden CA -> missing cert -> fraud cert

Doesn't the server also send the intermediate certs if needed? Or am I
mixing things?

> Every sane client application will complain about the missing cert.
> Probably it won't even know about the Staat der Nederlanden CA, as you
> can't resolve to it directly without having the DigiNotar certificate.

I did a brief test with curl and webkit browsers such as rekonq. They
accept the certificates from the site mentioned above unless I disable
"Staat der Nederlanden CA". Afaik Firefox does an explicit check if
there is a diginotar cert within the chain; other browsers and clients
most likely don't. So I still think its the easiest for most people to
disable those certs as well.

But yes, I am not absolutely sure as the information you can found in
the media atm is not that accurate. E.g. heise states that Microsoft
will remove the Nederlands root cert completely.

Pierre Schmitz, https://users.archlinux.de/~pierre

More information about the arch-dev-public mailing list