F-EOL versions of Firefox: How to remove co-opted Diginotar CA?
Craig White
craigwhite at azapple.com
Thu Sep 15 12:28:46 UTC 2011
On Tue, 2011-09-06 at 17:21 +0200, Reindl Harald wrote:
>
> Am 06.09.2011 17:18, schrieb Daniel B. Thurman:
> > On 09/06/2011 08:08 AM, Pasha R wrote:
> >> On Tue, Sep 6, 2011 at 5:19 PM, Daniel B. Thurman <dant at cdkkt.com> wrote:
> >>> For EOL FF versions, how can I remove the co-opted
> >>> Diginotar CA certificate? Instructions given by Mozilla
> >>> does not remove this certificate.
> >>>
> >>> If the root CA's cannot be manually removed, Is there
> >>> a FF rpm that has the fix?
> >> Uneducated guess: try running FF as root and then following
> >> instructions by mozilla
> > I already explained that the instructions given by Mozilla
> > does not work. You can try to 'delete' DigiNotar per Mozilla's
> > instructions, having done that, and going back to check will
> > show that it still appears. This root CA is a built-in object...
> > so it cannot be deleted.
> >
> > Since there are no updates for end-of-life fedora versions, one
> > may have to backport the ca-certificates packages, since not
> > only Firefox is affected but many others such as Seamonkey,
> > Thunderbird, and many other applications, as Kevin Fenzi wrote.
> >
> > Now... I need to figure out how to do a backport of ca-certificates
> > pkg so if anyone has any idea how this can be done, I am all ears...
>
> wget
> http://kojipkgs.fedoraproject.org/packages/ca-certificates/2011.78/1.fc14/src/ca-certificates-2011.78-1.fc14.src.rpm
> rpmbuild --rebuild ca-certificates-2011.78-1.fc14.src.rpm
----
I think ca-certificates is only about the OS root certs and all the
mozilla software (FF, TB, SM) do not use the OS certificate store so
this would have no impact. Mozilla software, as part of their heritage
maintain their own certificate store and thus would have to be updated
separately.
That said, I believe I have seen instances where you delete a trusted
root certificate and the first time, it remains in the database but not
trusted and the second time you delete it, it actually finally removes
it. I may be confusing that operation with Apple's Keychain Access
behavior though...
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the users
mailing list