Re: How to permanently delete root CAs from mozilla products?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 9/17/2011 8:06 PM, Craig White wrote:
> On Sat, 2011-09-17 at 18:58 -0400, David wrote:
>> On 9/17/2011 6:21 PM, Craig White wrote:
>>> On Sat, 2011-09-17 at 16:05 -0400, David wrote:
>>>> On 9/17/2011 3:59 PM, Fernando Cassia wrote:
>>>>> On Sat, Sep 17, 2011 at 16:46, David <dgboles@xxxxxxxxx> wrote:
>>>>>> Sure there is. They come with the Firefox and Thunderbird updates. They
>>>>>> are named security updates.
>>>>>>
>>>>>> --
>>>>>>
>>>>>>  David
>>>>>
>>>>> I mean if you accidentally delete good certificates ie AOL, Comodo,
>>>>> RSA, there is no way to easily reset certificates to the default state
>>>>> other than deinstalling and reinstalling the whole browser.
>>>>>
>>>>> Of course you can wait for future security updates that includes
>>>>> updates to the certs, but what if none comes in the next update?.
>>>>
>>>>
>>>> Refresh the rpm is the easiest way that I can think of to do that
>>>> without uninstalling and them reinstalling.
>>>>
>>>> And, as I recall, if you go to a site for which you do not not have a
>>>> certificate you are offered to accept it and add it. Not a disaster but
>>>> a slight inconvenience for the careless user.
>>> ----
>>> I don't think refreshing the rpm or even un/re installing will 'reset'
>>> certificates but I haven't tested myself.
>>>
>>> And what we are talking about is root certificates which actually
>>> comprise the highest level of a certificate chain. If you delete (or
>>> mark as not trusted) a root certificate and you go to a web site that is
>>> signed by the root certificate that you have indicated should not be
>>> trusted, it will come up as untrusted and you are given some rather dire
>>> warnings - the same as if you were presented a certificate that is
>>> 'self-signed'. I would recommend that even if you 'accept' (get
>>> certificate, trust, possibly permanently store) that you don't do any
>>> actual commerce with that site. Actually do not choose to store it
>>> permanently because the next time you go to the site, you will likely
>>> have forgotten that there is no chain of trust.
>>
>> I *really* have no idea what, just what, Fedora did here with this. But
>> I do know that the Generic Linux, and the Mac, and the Windows updates
>> fixed this. Are you saying that Fedora f*cked this up?
>>
>>  Then I would think that your problem would be with Fedora. And the
>> gnomes that live under your bed.
> ----
> Now that you mention it... I just updated my F14 - which included an
> update for Firefox.
> 
> I launch FF and see the DigiNotar certificate there dated 2007 and it is
> trusted. That concerns me.
> 
> So I 'delete' it and indeed, it completely disappears.
> 
> I close/relaunch FF and view certificates and it is back, only this
> time, it is not trusted (good). It appears to be the same certificate
> (dates - I didn't note the serial numbers).
> 
> I am fine with this.
> 
> I am not sure that simply updating FF will work as expected (disabling
> DigiNotar's certificate) without manual intervention but I will check on
> another users profile later.


I assume that this 'update' is a Fedora RPM? And it does not 'update'?
Your disagreement seems, to me, to be with Fedora or the Fedora
packager? The 'Generic' Mozilla Linux package, which is what I use,
updates as expected.


> As for Macintosh, Windows, 'generic Linux' (whatever that means to you
> it means nothing to me), I don't know but I can verify the
> Windows/Macintosh FF behavior when I get time. Did you actually track
> the exact state of the DigiNotar certificate before/after updating?


Did I "actually track  the exact state of the DigiNotar certificate"?
No. Not really. I just updated as needed and did not sit on my thumb
while the rest of the world solved this problem.

Have a nice day.


-- 

  David
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux