F-EOL versions of Firefox: How to remove co-opted Diginotar CA?
Pasha R
pashar.ml at gmail.com
Wed Sep 7 05:54:44 UTC 2011
On Tue, Sep 6, 2011 at 7:05 PM, Daniel B. Thurman <dant at cdkkt.com> wrote:
> On 09/06/2011 08:49 AM, Pasha R wrote:
>> On Tue, Sep 6, 2011 at 6:18 PM, Daniel B. Thurman <dant at cdkkt.com> wrote:
>>> On 09/06/2011 08:08 AM, Pasha R wrote:
>>>> On Tue, Sep 6, 2011 at 5:19 PM, Daniel B. Thurman <dant at cdkkt.com> wrote:
>>>>> For EOL FF versions, how can I remove the co-opted
>>>>> Diginotar CA certificate? Instructions given by Mozilla
>>>>> does not remove this certificate.
>>>>>
>>>>> If the root CA's cannot be manually removed, Is there
>>>>> a FF rpm that has the fix?
>>>> Uneducated guess: try running FF as root and then following
>>>> instructions by mozilla
>>> I already explained that the instructions given by Mozilla
>>> does not work. You can try to 'delete' DigiNotar per Mozilla's
>>> instructions, having done that, and going back to check will
>>> show that it still appears. This root CA is a built-in object...
>>> so it cannot be deleted.
>>>
>>> Since there are no updates for end-of-life fedora versions, one
>>> may have to backport the ca-certificates packages, since not
>>> only Firefox is affected but many others such as Seamonkey,
>>> Thunderbird, and many other applications, as Kevin Fenzi wrote.
>>>
>>> Now... I need to figure out how to do a backport of ca-certificates
>>> pkg so if anyone has any idea how this can be done, I am all ears...
>>>
>>>
>> Instructions (almost) worked for me - CA is still displayed, but if
>> you press "Edit trust" button, you will see, that all checkboxes are
>> unchecked, so it will not be used for anything.
> Why do you say: "(almost) worked" ?
>
Because the certificate is still displayed. Still, I think it is ok if
all trust checkbox are unchecked.
More information about the users
mailing list