On Thu, Sep 01, 2011 at 08:37:01AM +0200, Mike Hommey wrote: > On Wed, Aug 31, 2011 at 11:02:53PM -0500, Raphael Geissert wrote: > > On Tuesday 30 August 2011 23:30:19 Mike Hommey wrote: > > > On Wed, Aug 31, 2011 at 06:26:26AM +0200, Mike Hommey wrote: > > > > So, I'll put that on tiredness. That'd be several fraudulent > > > > certificates which fingerprint is unknown (thus even CRL, OCSP and > > > > blacklists can't do anything), and the mitigation involves several > > > > different intermediate certs that are cross-signed, which makes it kind > > > > of hard. Plus, there is the problem that untrusting the DigiNotar root > > > > untrusts a separate PKI used by the Dutch government. > > > > AFAICS, this last part is not true. The gov has one Root and DigiNotar's > > PKIOverheid is one if its leafs. > > Other DigiNotar CAs are the one derived from Entrust (seems to have been > > revoked), and a PKIOverheid G2 that I've seen mentioned in a few places > > (also > > derived from Entrust?) > > Well, reality is that the Firefox 6.0.1 release, which has a white least > for Staat der Nederlanden Root CA but not Staat der Nederlanden Root CA > - G2, effectively prevents from going to a couple of dutch government > sites. > Considering it has been found that the PSM side blacklist doesn't work, > that suggests that the root CA removal alone is responsible for the > situation, but I could be wrong.
I did some actual testing. With the DigiNoTar Root CA removal, we don't block Staat der Nederlanden Root CA and Staat der Nederlanden Root CA - G2. We also don't block (obviously) the ones with intermediate certs signed by Entrust, and if I followed the story correctly, this means we're effectively *not* preventing the *.google.com, addons.mozilla.org, *.yahoo.com, etc. fraudulent certificates from being used. A few urls to test: https://www.diginotar.nl should be blocked, and is -> OK https://sha2.diginotar.nl should not be blocked, and isn't -> OK https://zga-tag.zorggroep-almere.nl should be blocked, and isn't -> BAD Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
