On 9/17/2011 8:06 PM, Craig White wrote: > On Sat, 2011-09-17 at 18:58 -0400, David wrote: >> On 9/17/2011 6:21 PM, Craig White wrote: >>> On Sat, 2011-09-17 at 16:05 -0400, David wrote: >>>> On 9/17/2011 3:59 PM, Fernando Cassia wrote: >>>>> On Sat, Sep 17, 2011 at 16:46, David <dgboles@xxxxxxxxx> wrote: >>>>>> Sure there is. They come with the Firefox and Thunderbird updates. They >>>>>> are named security updates. >>>>>> >>>>>> -- >>>>>> >>>>>> David >>>>> >>>>> I mean if you accidentally delete good certificates ie AOL, Comodo, >>>>> RSA, there is no way to easily reset certificates to the default state >>>>> other than deinstalling and reinstalling the whole browser. >>>>> >>>>> Of course you can wait for future security updates that includes >>>>> updates to the certs, but what if none comes in the next update?. >>>> >>>> >>>> Refresh the rpm is the easiest way that I can think of to do that >>>> without uninstalling and them reinstalling. >>>> >>>> And, as I recall, if you go to a site for which you do not not have a >>>> certificate you are offered to accept it and add it. Not a disaster but >>>> a slight inconvenience for the careless user. >>> ---- >>> I don't think refreshing the rpm or even un/re installing will 'reset' >>> certificates but I haven't tested myself. >>> >>> And what we are talking about is root certificates which actually >>> comprise the highest level of a certificate chain. If you delete (or >>> mark as not trusted) a root certificate and you go to a web site that is >>> signed by the root certificate that you have indicated should not be >>> trusted, it will come up as untrusted and you are given some rather dire >>> warnings - the same as if you were presented a certificate that is >>> 'self-signed'. I would recommend that even if you 'accept' (get >>> certificate, trust, possibly permanently store) that you don't do any >>> actual commerce with that site. Actually do not choose to store it >>> permanently because the next time you go to the site, you will likely >>> have forgotten that there is no chain of trust. >> >> I *really* have no idea what, just what, Fedora did here with this. But >> I do know that the Generic Linux, and the Mac, and the Windows updates >> fixed this. Are you saying that Fedora f*cked this up? >> >> Then I would think that your problem would be with Fedora. And the >> gnomes that live under your bed. > ---- > Now that you mention it... I just updated my F14 - which included an > update for Firefox. > > I launch FF and see the DigiNotar certificate there dated 2007 and it is > trusted. That concerns me. > > So I 'delete' it and indeed, it completely disappears. > > I close/relaunch FF and view certificates and it is back, only this > time, it is not trusted (good). It appears to be the same certificate > (dates - I didn't note the serial numbers). > > I am fine with this. > > I am not sure that simply updating FF will work as expected (disabling > DigiNotar's certificate) without manual intervention but I will check on > another users profile later. I assume that this 'update' is a Fedora RPM? And it does not 'update'? Your disagreement seems, to me, to be with Fedora or the Fedora packager? The 'Generic' Mozilla Linux package, which is what I use, updates as expected. > As for Macintosh, Windows, 'generic Linux' (whatever that means to you > it means nothing to me), I don't know but I can verify the > Windows/Macintosh FF behavior when I get time. Did you actually track > the exact state of the DigiNotar certificate before/after updating? Did I "actually track the exact state of the DigiNotar certificate"? No. Not really. I just updated as needed and did not sit on my thumb while the rest of the world solved this problem. Have a nice day. -- David -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
