Revoking a root certificate doesn't work

RESOLVED INVALID

Status

()

RESOLVED INVALID
7 years ago
7 years ago

People

(Reporter: info, Unassigned)

Tracking

6 Branch
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

7 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20100101 Firefox/6.0
Build ID: 20110811165603

Steps to reproduce:

I tried to remove the DigiNotar root certificate as suggestet at http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert

Then I visited a web site that uses a DigiNotar-issued cert, e.g. https://as.digid.nl/


Actual results:

Everything normal.


Expected results:

Firefox should complain that the certificate is not trusted
(Reporter)

Updated

7 years ago
Component: General → Security

Comment 1

7 years ago
I believe this is a non-existing bug.
When one retrieves the SSL Certificate for as.digid.nl one can see that it uses DigiNotar as an intermediate CA.
You only removed the DigiNotar Root CA.

DigiNotar owns several Root/Intermediate certificates.

The one used for as.digid.nl is part of the 'Staat der Nederlanden Root CA'/'Staat der Nederlanden Overheid Root CA'/'DigiNotar PKLIoverheid CA Overheid en Bedrijven' certification chain.

In my opinion your expectation differs from what should be expected ;)
(Reporter)

Comment 2

7 years ago
Valid point. Removing 'Staat der Nederlanden Overheid Root CA' indeed triggers the desired behavior. This bug should be closed.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → INVALID

Comment 3

7 years ago
Please not that removing 'Staat der Nederlanden Overheid Root CA' will make more SSL Certs invalid.
For example Defense and Justice departments. Or the 'Belastingdienst' (not mijn.belastingdienst.nl as this is signed by Verisign).

I rather would update firefox to have the fix from https://bugzilla.mozilla.org/show_bug.cgi?id=682956
You need to log in before you can comment on or make changes to this bug.