Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
On Tuesday 30 August 2011 23:30:19 Mike Hommey wrote:
> On Wed, Aug 31, 2011 at 06:26:26AM +0200, Mike Hommey wrote:
> > So, I'll put that on tiredness. That'd be several fraudulent
> > certificates which fingerprint is unknown (thus even CRL, OCSP and
> > blacklists can't do anything), and the mitigation involves several
> > different intermediate certs that are cross-signed, which makes it kind
> > of hard. Plus, there is the problem that untrusting the DigiNotar root
> > untrusts a separate PKI used by the Dutch government.
AFAICS, this last part is not true. The gov has one Root and DigiNotar's
PKIOverheid is one if its leafs.
Other DigiNotar CAs are the one derived from Entrust (seems to have been
revoked), and a PKIOverheid G2 that I've seen mentioned in a few places (also
derived from Entrust?)
> > Add to the above that untrusting a root still allows users to override
> > in applications, and we have no central way to not allow that. Aiui, the
> > mozilla update is going to block overrides as well, but that involves
> > the application side. NSS won't deal with that.
> See https://bugzilla.mozilla.org/show_bug.cgi?id=682927 which is now
Thanks for the link.
FWIW, it seems that the government is ACKing  that DigiNotar re-signs
certificates with its PKIOverheid CA for non-gov users of its now-untrusted
DigiNotar Root CA.
Action items based on what others are doing:
1. Disable DigiNotar Root CA: done
2. Disable other DigiNotar CAs (derived from Entrust): not done
3. Still permit Staat der Nederlanden CA and PKIoverheid: nothing to be done
Item 2 is handled by Mozilla by matching /^DigiNotar/ and marking them as
untrusted at the PMS level.
discovered.html (and the linked fact-sheet)
 Entrust revoked them, marked as "superseded" in the CRL
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net