Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

To: Mike Hommey <mh@glandium.org>
Cc: "Yves-Alexis Perez" <corsac@debian.org>, 639744@bugs.debian.org, Josh Triplett <josh@joshtriplett.org>
Subject: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
From: Raphael Geissert <geissert@debian.org>
Date: Wed, 31 Aug 2011 23:02:53 -0500
Message-id: <[🔎] 201108312302.56068.geissert@debian.org>
Reply-to: Raphael Geissert <geissert@debian.org>, 639744@bugs.debian.org
In-reply-to: <20110831043019.GB3643@glandium.org>
References: <20110829210357.26233.13731.reportbug@leaf> <20110831042626.GA3643@glandium.org> <20110831043019.GB3643@glandium.org>

On Tuesday 30 August 2011 23:30:19 Mike Hommey wrote:
> On Wed, Aug 31, 2011 at 06:26:26AM +0200, Mike Hommey wrote:
> > So, I'll put that on tiredness. That'd be several fraudulent
> > certificates which fingerprint is unknown (thus even CRL, OCSP and
> > blacklists can't do anything), and the mitigation involves several
> > different intermediate certs that are cross-signed, which makes it kind
> > of hard. Plus, there is the problem that untrusting the DigiNotar root
> > untrusts a separate PKI used by the Dutch government.

AFAICS, this last part is not true. The gov has one Root and DigiNotar's 
PKIOverheid is one if its leafs.
Other DigiNotar CAs are the one derived from Entrust (seems to have been 
revoked), and a PKIOverheid G2 that I've seen mentioned in a few places (also 
derived from Entrust?)

> > Add to the above that untrusting a root still allows users to override
> > in applications, and we have no central way to not allow that. Aiui, the
> > mozilla update is going to block overrides as well, but that involves
> > the application side. NSS won't deal with that.
> 
> See https://bugzilla.mozilla.org/show_bug.cgi?id=682927 which is now
> open.

Thanks for the link.

FWIW, it seems that the government is ACKing [3] that DigiNotar re-signs 
certificates with its PKIOverheid CA for non-gov users of its now-untrusted 
DigiNotar Root CA.

Action items based on what others are doing:
1. Disable DigiNotar Root CA: done
2. Disable other DigiNotar CAs (derived from Entrust)[4]: not done
3. Still permit Staat der Nederlanden CA and PKIoverheid: nothing to be done

Item 2 is handled by Mozilla by matching /^DigiNotar/ and marking them as 
untrusted at the PMS level.

[3] https://www.govcert.nl/english/service-provision/knowledge-and-
publications/factsheets/factsheet-fraudulently-issued-security-certificate-
discovered.html (and the linked fact-sheet)
[4] Entrust revoked them, marked as "superseded" in the CRL

-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Reply to:

Follow-Ups:
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Mike Hommey <mh@glandium.org>
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Mike Hommey <mh@glandium.org>

Next by Date: Processing of openclipart_0.18+dfsg-12_amd64.changes
Next by thread: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Index(es):
- Date
- Thread