On Wed, Aug 31, 2011 at 11:02:53PM -0500, Raphael Geissert wrote: > On Tuesday 30 August 2011 23:30:19 Mike Hommey wrote: > > On Wed, Aug 31, 2011 at 06:26:26AM +0200, Mike Hommey wrote: > > > So, I'll put that on tiredness. That'd be several fraudulent > > > certificates which fingerprint is unknown (thus even CRL, OCSP and > > > blacklists can't do anything), and the mitigation involves several > > > different intermediate certs that are cross-signed, which makes it kind > > > of hard. Plus, there is the problem that untrusting the DigiNotar root > > > untrusts a separate PKI used by the Dutch government. > > AFAICS, this last part is not true. The gov has one Root and DigiNotar's > PKIOverheid is one if its leafs. > Other DigiNotar CAs are the one derived from Entrust (seems to have been > revoked), and a PKIOverheid G2 that I've seen mentioned in a few places (also > derived from Entrust?) > > > > Add to the above that untrusting a root still allows users to override > > > in applications, and we have no central way to not allow that. Aiui, the > > > mozilla update is going to block overrides as well, but that involves > > > the application side. NSS won't deal with that. > > > > See https://bugzilla.mozilla.org/show_bug.cgi?id=682927 which is now > > open. > > Thanks for the link. > > FWIW, it seems that the government is ACKing [3] that DigiNotar re-signs > certificates with its PKIOverheid CA for non-gov users of its now-untrusted > DigiNotar Root CA. > > Action items based on what others are doing: > 1. Disable DigiNotar Root CA: done > 2. Disable other DigiNotar CAs (derived from Entrust)[4]: not done > 3. Still permit Staat der Nederlanden CA and PKIoverheid: nothing to be done > > Item 2 is handled by Mozilla by matching /^DigiNotar/ and marking them as > untrusted at the PMS level.
http://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/ On the NSS end, this is my understanding of the status (haven't gone through the patches yet): - It disables DigiNotar Root CA - It untrusts the signatures from Entrust on the DigiNotar CAs - It blacklists /^DigiNotar/ intermediates All that at NSS level, making the solution work in all applications using NSS, which is good. I need to check what is done at PSM level now. Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
