On Sat, Sep 03, 2011 at 08:45:22AM +0200, Mike Hommey wrote: > On Sat, Sep 03, 2011 at 07:40:23AM +0200, Mike Hommey wrote: > > On Wed, Aug 31, 2011 at 11:02:53PM -0500, Raphael Geissert wrote: > > > On Tuesday 30 August 2011 23:30:19 Mike Hommey wrote: > > > > On Wed, Aug 31, 2011 at 06:26:26AM +0200, Mike Hommey wrote: > > > > > So, I'll put that on tiredness. That'd be several fraudulent > > > > > certificates which fingerprint is unknown (thus even CRL, OCSP and > > > > > blacklists can't do anything), and the mitigation involves several > > > > > different intermediate certs that are cross-signed, which makes it > > > > > kind > > > > > of hard. Plus, there is the problem that untrusting the DigiNotar root > > > > > untrusts a separate PKI used by the Dutch government. > > > > > > AFAICS, this last part is not true. The gov has one Root and DigiNotar's > > > PKIOverheid is one if its leafs. > > > Other DigiNotar CAs are the one derived from Entrust (seems to have been > > > revoked), and a PKIOverheid G2 that I've seen mentioned in a few places > > > (also > > > derived from Entrust?) > > > > > > > > Add to the above that untrusting a root still allows users to override > > > > > in applications, and we have no central way to not allow that. Aiui, > > > > > the > > > > > mozilla update is going to block overrides as well, but that involves > > > > > the application side. NSS won't deal with that. > > > > > > > > See https://bugzilla.mozilla.org/show_bug.cgi?id=682927 which is now > > > > open. > > > > > > Thanks for the link. > > > > > > FWIW, it seems that the government is ACKing [3] that DigiNotar re-signs > > > certificates with its PKIOverheid CA for non-gov users of its > > > now-untrusted > > > DigiNotar Root CA. > > > > > > Action items based on what others are doing: > > > 1. Disable DigiNotar Root CA: done > > > 2. Disable other DigiNotar CAs (derived from Entrust)[4]: not done > > > 3. Still permit Staat der Nederlanden CA and PKIoverheid: nothing to be > > > done > > > > > > Item 2 is handled by Mozilla by matching /^DigiNotar/ and marking them as > > > untrusted at the PMS level. > > > > http://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/ > > > > On the NSS end, this is my understanding of the status (haven't gone > > through the patches yet): > > - It disables DigiNotar Root CA > > - It untrusts the signatures from Entrust on the DigiNotar CAs > > - It blacklists /^DigiNotar/ intermediates > > All that at NSS level, making the solution work in all applications > > using NSS, which is good. > > Looking at the patches, this really is: > - untrust all the DigiNotar* CAs[1] > - untrust the PKIoverheid intermediates > > Untrusting is done by actually having entries for all these CAs, but > marking them as untrusted.
On the PSM side, there is an explicit blacklist of certificates which issuer matches CN=DigiNotar (strstr), even if NSS has the CAs untrusted. Additionally, if a certificate signed by DigiNotar is invalid because of the NSS distrust, it is marked as revoked instead of invalid if it has been issued after July 1st. Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org