Closed Bug 683132 Opened 13 years ago Closed 13 years ago

Revoking a root certificate doesn't work

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
6 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: info, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20100101 Firefox/6.0
Build ID: 20110811165603

Steps to reproduce:

I tried to remove the DigiNotar root certificate as suggestet at http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert

Then I visited a web site that uses a DigiNotar-issued cert, e.g. https://as.digid.nl/


Actual results:

Everything normal.


Expected results:

Firefox should complain that the certificate is not trusted
Component: General → Security
I believe this is a non-existing bug.
When one retrieves the SSL Certificate for as.digid.nl one can see that it uses DigiNotar as an intermediate CA.
You only removed the DigiNotar Root CA.

DigiNotar owns several Root/Intermediate certificates.

The one used for as.digid.nl is part of the 'Staat der Nederlanden Root CA'/'Staat der Nederlanden Overheid Root CA'/'DigiNotar PKLIoverheid CA Overheid en Bedrijven' certification chain.

In my opinion your expectation differs from what should be expected ;)
Valid point. Removing 'Staat der Nederlanden Overheid Root CA' indeed triggers the desired behavior. This bug should be closed.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → INVALID
Please not that removing 'Staat der Nederlanden Overheid Root CA' will make more SSL Certs invalid.
For example Defense and Justice departments. Or the 'Belastingdienst' (not mijn.belastingdienst.nl as this is signed by Verisign).

I rather would update firefox to have the fix from https://bugzilla.mozilla.org/show_bug.cgi?id=682956
You need to log in before you can comment on or make changes to this bug.