Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
On Thursday 01 September 2011 17:47:57 Mike Hommey wrote:
> On Thu, Sep 01, 2011 at 02:06:39PM -0500, Raphael Geissert wrote:
> > Unless other certificates were signed with another CA, at least the
> > *.google.com one should fail now. The chain of the the public
> > *.google.com cert is:
> > Issuer: C=NL, O=DigiNotar, CN=DigiNotar Root CA
> > Subject: C=NL, O=DigiNotar, CN=DigiNotar Public CA 2025
> > Issuer: C=NL, O=DigiNotar, CN=DigiNotar Public CA 2025
> > Subject: C=US, O=Google Inc, L=Mountain View/serialNumber=PK000229200002,
> > CN=*.google.com
> AIUI, the DigiNotar Public CA 2025 is cross signed by Entrust.
Do you have a copy of that one?
> > I have an idea, but I need to test a few things first. It is too simple,
> > so I guess I must be missing something, otherwise people would have
> > already done it.
> The last one should be handled by the removal of the Entrust roots that
> signed DigiNoTar intermediate certs.
> Entrust actually requested the removal of these roots, as well as
> published revocations (which is why OCSP and CRL validation works)
> See https://bugzilla.mozilla.org/show_bug.cgi?id=683455
Well, no, they didn't request their roots from being removed. They are
actively using them.
What they've done is revoke their signatures for DigiNotar certs.
We are still left with the question of how to invalidate those. Will try to
test some things tomorrow.
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net