On TUAW, the comments on a post[1] about removing the DigiNotar certificate indicate that all you really have to do is quit and relaunch Safari to get it to notice that the certificate has been marked as untrusted. How did this article decide that EV-SSL was to blame?
Marking as not trusted in Lion seems to work fine. When I open DigiNotar's own site[1] in Safari, I get a "can't verify the identity..." dialog popup. Not sure how to check if it's an EV cert, though it'd be surprising if they're not using an EV cert for their own CA site!
Just delete the cert altogether - there's no reason to leave it on the system at this point (i.e. Google Chrome does not trust it in the latest updates regardless).
The problem is the certificate can be re-added when you do an update (if the update included new root CA's). Thus it's usually safer to just mark the CA as untrusted.
Ehm ... I am not seeing this at all. I have marked the certificate as not trusted ever, and I get warnings no matter what on their site, whether they are using EV-SSL or not.
Seems to me there is going to be a growing demand for greater accountability in CAs. Does the protocol support requiring a certificate to be signed by two (or more) trusted CAs? Then even if one CA is hacked or spoofed into signing a bogus certificate, hopefully the other one hasn't been.
The line between how a browser or even a TLS library validates a certificate and what the protocol requires is blurry (you can do more than the TLS protocol itself needs you to do), but, no, you can't sign a cert with 2 CAs.
Works for me on OSX 10.6.6 - disable DigiNotar in Keychain Access then attempt to visit the DigiNotar site over SSL at https://service.diginotar.nl/ - either fails outright or generate a certificate warning.
Slightly off topic but anyone knows how Opera has been handling this? I've searched around a bit and looked at Opera's cert settings and can't figure out if Opera has fixed this or not.
[+] [-] eridius|14 years ago|reply
[1] http://www.tuaw.com/2011/09/01/how-to-get-rid-of-diginotar-d...
[+] [-] yogsototh|14 years ago|reply
[+] [-] kelnos|14 years ago|reply
Also works in Chrome...
[1] https://service.diginotar.nl/files/DigiNotar%20Root%20CA.crt
[+] [-] MediaBehavior|14 years ago|reply
"Safari can't open the page... because Safari can't establish a secure connection to the server 'service.diginotar.nl' "
[+] [-] windexh8er|14 years ago|reply
http://vimeo.com/28362457
[+] [-] RyanKearney|14 years ago|reply
[+] [-] calloc|14 years ago|reply
[+] [-] eli|14 years ago|reply
[+] [-] dchest|14 years ago|reply
[+] [-] dchest|14 years ago|reply
rdar (filed by Chromium devs): rdar://10051665
On HN: http://news.ycombinator.com/item?id=2940530
[+] [-] ams6110|14 years ago|reply
[+] [-] tptacek|14 years ago|reply
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] pygorex|14 years ago|reply
[+] [-] arkitaip|14 years ago|reply
[+] [-] lmkg|14 years ago|reply
http://my.opera.com/securitygroup/blog/2011/08/30/when-certi...
[+] [-] sigzero|14 years ago|reply
[+] [-] earl|14 years ago|reply