Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to disable trust in a sub-CA certificate?

40 views
Skip to first unread message

Erwann Abalea

unread,
Apr 5, 2011, 6:12:39 AM4/5/11
to mozilla-dev-s...@lists.mozilla.org
Hello,

I wanted to disable all trust about Comodo certificates (and others,
too). I know I can uncheck the 3 trust bits for the Comodo roots. But
what if this CA is cross-signed?

Real-world example, the recent rogue certificates issued by Comodo.
Those are signed by the "CN=UTN-USERFirst-Hardware" root CA. I can
disable the 3 trust bits of this CA. But looking at those rogue
certificates, I can see that this CA is cross-signed by "CN=AddTrust
External CA Root" (and this certificate is correctly referenced in the
AIA extension). I could also uncheck the 3 trust bits for this root,
but the effect is then much wider.

Another real-world example is the CNNIC root CA, cross-signed by
Entrust.

Is there a way to have *negative* trust, instead of the dual "I trust
this certificate" / "I leave the decision to trust or not to a higher
level certificate"?

--
Erwann.

Eddy Nigg

unread,
Apr 5, 2011, 6:18:11 AM4/5/11
to mozilla-dev-s...@lists.mozilla.org
On 04/05/2011 01:12 PM, From Erwann Abalea:

> I wanted to disable all trust about Comodo certificates (and others,
> too). I know I can uncheck the 3 trust bits for the Comodo roots. But
> what if this CA is cross-signed?

Erwann, maybe this helps:
http://benjamin.smedbergs.us/blog/2008-12-24/how-to-disable-the-comodo-root-certificate-in-firefox/

And you might want to disable also one of the Entrust CA roots, I
understood that some roots of Comodo are cross-signed by Entrust.

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

Erwann Abalea

unread,
Apr 5, 2011, 8:19:43 AM4/5/11
to mozilla-dev-s...@lists.mozilla.org
On 5 avr, 11:18, Eddy Nigg <eddy_n...@startcom.org> wrote:
> On 04/05/2011 01:12 PM, From Erwann Abalea:
>
> > I wanted to disable all trust about Comodo certificates (and others,
> > too). I know I can uncheck the 3 trust bits for the Comodo roots. But
> > what if this CA is cross-signed?
>
> Erwann, maybe this helps:http://benjamin.smedbergs.us/blog/2008-12-24/how-to-disable-the-comod...

Thanks, that works for root CAs, but my question was for sub-CAs.

> And you might want to disable also one of the Entrust CA roots, I
> understood that some roots of Comodo are cross-signed by Entrust.

I also don't want to completely disable Entrust, but only some
certificates signed by Entrust (such as CNNIC, or Comodo). And I
noticed the GUI doesn't provide me a way to set a "negative trust" for
an arbitrary certificate. Such notion of "negative trust" has no
meaning for root CAs, but it should work with sub-CAs, by invalidating
a specific path.

The command-line "certutil" tool seems able to set a "warn me always"
flag, Maybe I should test it.

--
Erwann.

Eddy Nigg

unread,
Apr 5, 2011, 9:06:22 AM4/5/11
to mozilla-dev-s...@lists.mozilla.org
On 04/05/2011 03:19 PM, From Erwann Abalea:

> Thanks, that works for root CAs, but my question was for sub-CAs.

If you disable the root, the intermediate CAs are disabled too. If you
want to disable only intermediate CAs this is more tricky since Comodo
can issue always a new one which you don't know about and it will be
automatically imported into your certificate store because you trust the
CA root. Except in case you disabled trust for it.

> I also don't want to completely disable Entrust, but only some
> certificates signed by Entrust (such as CNNIC, or Comodo).

That would be effectively the roots of the respective CAs. I believe
that if you disable the CA root, the cross-signature might not override
your decision. But I might be wrong.

0 new messages