Closed Bug 683455 Opened 14 years ago Closed 12 years ago

Dis-trust Entrust -> DigiNotar cross-certificate

Categories

(NSS :: CA Certificates Code, task)

Product:
NSS
Component:
CA Certificates Code
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 682927

People

(Reporter: gerv, Assigned: KaiE)

References

Details

Attachments

(3 files)

DigiNotar Root CA (1)
1.32 KB, application/x-x509-ca-cert
Details
DigiNotar Root CA (2)
1.77 KB, text/plain
Details
DigiNotar Services 1024 CA
977 bytes, application/octet-stream
Details
Entrust wish us to dis-trust their cross-certificate of the DigiNotar CA. They have revoked it. This may well not be strictly necessary due to the way we wrote the original patch, but Entrust have requested that we do it. I will update this bug with more details of the cert in question when I have them. Gerv
Please find attached the certificates that were issued and distributed to DigiNotar. The issuer was Entrust.net Secure Server Certification Authority. The serial numbers are: 469c2cb0 469c2caf 469c3cc9 All have been revoked and the CRL can be found at http://crl.entrust.net/server1.crl. Please let me know if you need any other information. Best regards, Bruce Morton Entrust Certificate Services +1 613 270 3743 http://ssl.entrust.net/blog/
Attached file DigiNotar Root CA (1)
Attached file DigiNotar Root CA (2)
I confirm that I already know how to blocklist these certs in NSS, all 3 certs were on my list already, and I'm working on it. We will use a carefully crafted fake-override cert for the former "DigiNotar Root CA", in a way that covers also certs with serials 469c2caf and 469c3cc9. In addition, we must create a separate fake override cert to handle serial 469c2cb0. I apologize that I have a steal a serial number from Entrust in order to do that. I intend to produce a fake, explicitly untrusted cert, which uses the same issuer name as in 469c2cb0, and use serial number 0xfffffff. I am currently working on this in bug 683261.
Attachment #557169 - Attachment mime type: text/plain → application/x-x509-ca-cert
Attachment #557170 - Attachment description: Diginotar Root CA (2) → DigiNotar Root CA (2)
Attachment #557170 - Attachment mime type: text/plain → application/x-x509-ca-cert
Attachment #557172 - Attachment mime type: text/plain → application/x-x509-ca-cert
The patches from bug 682927 already blocks these certs for SSL (only) in an overridable way for PSM-based products.
Assignee: nobody → kaie
Depends on: 683261
Comment on attachment 557169 [details] DigiNotar Root CA (1) I don't want these certs to automatically install themselves when clicked on! Gerv
Attachment #557169 - Attachment mime type: application/x-x509-ca-cert → text/plain
Attachment #557170 - Attachment mime type: application/x-x509-ca-cert → text/plain
Attachment #557172 - Attachment mime type: application/x-x509-ca-cert → text/plain
Attachment #557169 - Attachment mime type: text/plain → application/octet-stream
Attachment #557172 - Attachment mime type: text/plain → application/octet-stream
Attachment #557169 - Attachment mime type: application/octet-stream → application/x-x509-ca-cert
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: