[arch-dev-public] How to disable the DigiNotar root cert on Arch

Jan de Groot jan at jgc.homeip.net
Wed Sep 7 13:02:27 EDT 2011

On Wed, 2011-09-07 at 16:07 +0200, Pierre Schmitz wrote:
> I did a brief test with curl and webkit browsers such as rekonq. They
> accept the certificates from the site mentioned above unless I disable
> "Staat der Nederlanden CA". Afaik Firefox does an explicit check if
> there is a diginotar cert within the chain; other browsers and clients
> most likely don't. So I still think its the easiest for most people to
> disable those certs as well.

I tried epiphany, that browser doesn't even give a warning when a cert
is invalid. One week ago the cert for GNOME bugzilla was expired,
Firefox couldn't add an exception, making it unable to visit
bugs.gnome.org, but epiphany just shows the website without any warning.
When I check a DigiNotar signed website, Epiphany shows a broken lock in
the address bar, so though it's SSL, it says the security is broken.

> But yes, I am not absolutely sure as the information you can found in
> the media atm is not that accurate. E.g. heise states that Microsoft
> will remove the Nederlands root cert completely. 

Heise is wrong IMHO. When the DigiNotar hack was made public, all
browser companies issued updates. Both Microsoft and Mozilla added
checks to their browsers to see if a cert originates from "Staat der
Nederlanden CA" so the cert would get accepted as valid. Now that Fox IT
uncovered a report about the security at DigiNotar and that not any cert
ever issued by this company should be trusted, Mozilla and Microsoft
decided to remove that exception and just disable all DigiNotar
I pulled in this update through Windows Update this morning, I had to
reboot for it (Windows XP). On Windows XP you don't have to reboot for a
base certificate update, so this is an update that touches code instead
of some certificate store.

More information about the arch-dev-public mailing list