Re: F-EOL versions of Firefox: How to remove co-opted Diginotar CA?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2011-09-06 at 17:21 +0200, Reindl Harald wrote:
> 
> Am 06.09.2011 17:18, schrieb Daniel B. Thurman:
> > On 09/06/2011 08:08 AM, Pasha R wrote:
> >> On Tue, Sep 6, 2011 at 5:19 PM, Daniel B. Thurman <dant@xxxxxxxxx> wrote:
> >>> For EOL FF versions, how can I remove the co-opted
> >>> Diginotar CA certificate? Instructions given by Mozilla
> >>> does not remove this certificate.
> >>>
> >>> If the root CA's cannot be manually removed, Is there
> >>> a FF rpm that has the fix?
> >> Uneducated guess: try running FF as root and then following
> >> instructions by mozilla
> > I already explained that the instructions given by Mozilla
> > does not work.  You can try to 'delete' DigiNotar per Mozilla's
> > instructions, having done that, and going back to check will
> > show that it still appears. This root CA is a built-in object...
> > so it cannot be deleted.
> > 
> > Since there are no updates for end-of-life fedora versions, one
> > may have to backport the ca-certificates packages, since not
> > only Firefox is affected but many others such as Seamonkey,
> > Thunderbird, and many other applications, as Kevin Fenzi wrote.
> > 
> > Now...  I need to figure out how to do a backport of ca-certificates
> > pkg so if anyone has any idea how this can be done, I am all ears...
> 
> wget
> http://kojipkgs.fedoraproject.org/packages/ca-certificates/2011.78/1.fc14/src/ca-certificates-2011.78-1.fc14.src.rpm
> rpmbuild --rebuild ca-certificates-2011.78-1.fc14.src.rpm
----
I think ca-certificates is only about the OS root certs and all the
mozilla software (FF, TB, SM) do not use the OS certificate store so
this would have no impact. Mozilla software, as part of their heritage
maintain their own certificate store and thus would have to be updated
separately.

That said, I believe I have seen instances where you delete a trusted
root certificate and the first time, it remains in the database but not
trusted and the second time you delete it, it actually finally removes
it. I may be confusing that operation with Apple's Keychain Access
behavior though...

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux