Re: [Fed-Talk] Apple's Rogue DigiNotar CA mitigation?
Re: [Fed-Talk] Apple's Rogue DigiNotar CA mitigation?
- Subject: Re: [Fed-Talk] Apple's Rogue DigiNotar CA mitigation?
- From: "Danziger, Alan D." <email@hidden>
- Date: Thu, 01 Sep 2011 10:59:02 -0400
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Apple's Rogue DigiNotar CA mitigation?
My understanding is that the 'revoking trust' doesn't work and that's why
the update to original link below suggested deleting the certificate
altogether. The InfoWorld article said that the user told the browser
'don't trust' but didn't say whether he'd tried to delete the certificate.
Best,
-=Alan
On 8/31/11 9:13 PM, "Rex Sanders" <email@hidden> wrote:
>Deleting Mac OS X certificates using Keychain doesn't work completely:
>
>http://www.infoworld.com/d/security/mac-os-x-cant-properly-revoke-dodgy-di
>gital-certificates-171357
>
>"Users can revoke a certificate using Keychain, but if they happen to
>visit
>a site that uses the more-secure Extended Validation certificates, the Mac
>will accept the EV certificate even if it's been issued by a certificate
>authority marked as untrusted in Keychain."
>
>I wonder if the command-line equivalents have the same problem.
>
>SSL/TLS: a different kind of Security Theater.
>http://en.wikipedia.org/wiki/Security_theater
>
>-- Rex
>
>
>At 9:13 AM -0700 8/31/11, David Mueller wrote:
>>Yes, you can disable DigiNotar via Keychain Access. Open the app, click
>>on
>>the System Roots keychain, double-click on "DigiNotar Root CA", expand
>>the
>>Trust section of the window, and set "When using this certificate" to
>>"Never
>>Trust".
>>
>>This post has a slightly different method (with pictures), and suggests
>>that
>>it may be better to delete the cert rather than not trusting it:
>>
>>http://www.coriolis-systems.com/blog/2011/08/diginotar-certificate-securi
>>ty.
>>php
> _______________________________________________
>Do not post admin requests to the list. They will be ignored.
>Fed-talk mailing list (email@hidden)
>Help/Unsubscribe/Update your Subscription:
>
>This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden