Remove the exemptions for the Staat der Nederlanden root
Bug #838322 reported by
Micah Gersten
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mozilla Firefox |
Fix Released
|
Critical
|
|||
firefox (Ubuntu) |
Fix Released
|
Medium
|
Chris Coulson | ||
Lucid |
Fix Released
|
Medium
|
Micah Gersten | ||
Maverick |
Fix Released
|
Medium
|
Micah Gersten | ||
Natty |
Fix Released
|
Medium
|
Micah Gersten | ||
Oneiric |
Fix Released
|
Medium
|
Chris Coulson | ||
thunderbird (Ubuntu) |
Fix Released
|
Medium
|
Chris Coulson | ||
Lucid |
Fix Released
|
Medium
|
Micah Gersten | ||
Maverick |
Fix Released
|
Medium
|
Micah Gersten | ||
Natty |
Fix Released
|
Medium
|
Micah Gersten | ||
Oneiric |
Fix Released
|
Medium
|
Chris Coulson | ||
xulrunner-1.9.2 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Medium
|
Micah Gersten | ||
Maverick |
Fix Released
|
Medium
|
Micah Gersten | ||
Natty |
Fix Released
|
Undecided
|
Unassigned | ||
Oneiric |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Here's an updated blog post on the DigiNotar issue:
http://
The Staat der Nederlanden root exemption has been removed. These root certs are still believed to be trusted. The "PKIOverheid" (PKIGovernment) intermediates under DigiNotar's control that
did not chain to DigiNotar's root and were not previously blocked were blocked instead.
Related branches
Changed in firefox (Ubuntu Oneiric): | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in firefox (Ubuntu Natty): | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in firefox (Ubuntu Maverick): | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in firefox (Ubuntu Lucid): | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in firefox: | |
importance: | Unknown → Critical |
status: | Unknown → Fix Released |
summary: |
- DigiNotar patch erroneously blocks one of the two Staat der Nederlanden - roots + Remove the exemptions for the Staat der Nederlanden root |
description: | updated |
description: | updated |
To post a comment you must log in.
It turns out that there are two Staat der Nederlanden roots in our root store, and our patch only exempts one of them from the DigiNotar block :-(( This means that a number of websites whose certs do not chain up to the dis-trusted DigiNotar root are nevertheless having their certificates viewed as untrusted. I'm not sure how many sites this is.
The roots are:
Staat der Nederlanden Root CA
(successfully exempted)
Staat der Nederlanden Root CA - G2
(accidentally included)
The line of code is this one:
if (!strcmp( node->cert- >issuerName,
"CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL") ...
This check needs to include both the names above.
Test site: /sha2.diginotar .nl/
https:/
Gerv