Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
On Tue, Sep 06, 2011 at 03:03:27PM +0200, Giuseppe Iuculano wrote:
> On 09/04/2011 09:20 PM, Raphael Geissert wrote:
> > NSS now ships modified certs of DigiNotar, their name is "Explicitly Disabled
> > DigiNotar <rest of the original CN here>"
> > In chromium, for example, if you browse a DigiNotar-signed website and check
> > the certificate chain you will see the Explicitly Disabled cert there.
> > Giuseppe, do you already have plans for updating chromium? (more info on the
> > CCed bug.)
> chromium uses libnss, please explain, what kind of update chromium
> needs? did I miss something?
You missed the part where chromium uses libpkix (despite mozilla
saying it's not ready), and the libpkix path doesn't reject the certs
chaining to the Explicitly Disabled CAs.