On Sat, Sep 03, 2011 at 07:40:23AM +0200, Mike Hommey wrote: > On Wed, Aug 31, 2011 at 11:02:53PM -0500, Raphael Geissert wrote: > > On Tuesday 30 August 2011 23:30:19 Mike Hommey wrote: > > > On Wed, Aug 31, 2011 at 06:26:26AM +0200, Mike Hommey wrote: > > > > So, I'll put that on tiredness. That'd be several fraudulent > > > > certificates which fingerprint is unknown (thus even CRL, OCSP and > > > > blacklists can't do anything), and the mitigation involves several > > > > different intermediate certs that are cross-signed, which makes it kind > > > > of hard. Plus, there is the problem that untrusting the DigiNotar root > > > > untrusts a separate PKI used by the Dutch government. > > > > AFAICS, this last part is not true. The gov has one Root and DigiNotar's > > PKIOverheid is one if its leafs. > > Other DigiNotar CAs are the one derived from Entrust (seems to have been > > revoked), and a PKIOverheid G2 that I've seen mentioned in a few places > > (also > > derived from Entrust?) > > > > > > Add to the above that untrusting a root still allows users to override > > > > in applications, and we have no central way to not allow that. Aiui, the > > > > mozilla update is going to block overrides as well, but that involves > > > > the application side. NSS won't deal with that. > > > > > > See https://bugzilla.mozilla.org/show_bug.cgi?id=682927 which is now > > > open. > > > > Thanks for the link. > > > > FWIW, it seems that the government is ACKing [3] that DigiNotar re-signs > > certificates with its PKIOverheid CA for non-gov users of its now-untrusted > > DigiNotar Root CA. > > > > Action items based on what others are doing: > > 1. Disable DigiNotar Root CA: done > > 2. Disable other DigiNotar CAs (derived from Entrust)[4]: not done > > 3. Still permit Staat der Nederlanden CA and PKIoverheid: nothing to be done > > > > Item 2 is handled by Mozilla by matching /^DigiNotar/ and marking them as > > untrusted at the PMS level. > > http://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/ > > On the NSS end, this is my understanding of the status (haven't gone > through the patches yet): > - It disables DigiNotar Root CA > - It untrusts the signatures from Entrust on the DigiNotar CAs > - It blacklists /^DigiNotar/ intermediates > All that at NSS level, making the solution work in all applications > using NSS, which is good. > > I need to check what is done at PSM level now.
And affected dutch users are now officially aware they're screwed. http://www.rnw.nl/english/bulletin/security-dutch-government-websites-jeopardy Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
