Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

To: Giuseppe Iuculano <iuculano@debian.org>
Cc: Raphael Geissert <geissert@debian.org>, Yves-Alexis Perez <corsac@debian.org>, 639744@bugs.debian.org, Josh Triplett <josh@joshtriplett.org>
Subject: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
From: Mike Hommey <mh@glandium.org>
Date: Tue, 6 Sep 2011 15:19:27 +0200
Message-id: <[🔎] 20110906131927.GA23493@glandium.org>
Reply-to: Mike Hommey <mh@glandium.org>, 639744@bugs.debian.org
In-reply-to: <[🔎] 4E661A1F.5040704@debian.org>
References: <20110829210357.26233.13731.reportbug@leaf> <[🔎] 201109041334.44625.geissert@debian.org> <[🔎] 1315162476.16745.12.camel@scapa> <[🔎] 201109041420.12220.geissert@debian.org> <[🔎] 4E661A1F.5040704@debian.org>

On Tue, Sep 06, 2011 at 03:03:27PM +0200, Giuseppe Iuculano wrote:
> Hi,
> 
> On 09/04/2011 09:20 PM, Raphael Geissert wrote:
> > NSS now ships modified certs of DigiNotar, their name is "Explicitly Disabled 
> > DigiNotar <rest of the original CN here>"
> > In chromium, for example, if you browse a DigiNotar-signed website and check 
> > the certificate chain you will see the Explicitly Disabled cert there.
> > 
> > Giuseppe, do you already have plans for updating chromium? (more info on the 
> > CCed bug.)
> 
> chromium uses libnss, please explain, what kind of update chromium
> needs? did I miss something?

You missed the part where chromium uses libpkix (despite mozilla
saying it's not ready), and the libpkix path doesn't reject the certs
chaining to the Explicitly Disabled CAs.

Mike

Reply to:

Follow-Ups:
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Raphael Geissert <geissert@debian.org>

References:
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Raphael Geissert <geissert@debian.org>
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Yves-Alexis Perez <corsac@debian.org>
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Raphael Geissert <geissert@debian.org>
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Giuseppe Iuculano <iuculano@debian.org>

Prev by Date: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Next by Date: Bug#640696: ca-certificates: Exception in thread "main" java.security.KeyStoreException: jks not found
Previous by thread: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Next by thread: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Index(es):
- Date
- Thread