On TUAW, the comments on a post[1] about removing the DigiNotar certificate indicate that all you really have to do is quit and relaunch Safari to get it to notice that the certificate has been marked as untrusted. How did this article decide that EV-SSL was to blame?
Marking as not trusted in Lion seems to work fine. When I open DigiNotar's own site[1] in Safari, I get a "can't verify the identity..." dialog popup. Not sure how to check if it's an EV cert, though it'd be surprising if they're not using an EV cert for their own CA site!
Just delete the cert altogether - there's no reason to leave it on the system at this point (i.e. Google Chrome does not trust it in the latest updates regardless).
The problem is the certificate can be re-added when you do an update (if the update included new root CA's). Thus it's usually safer to just mark the CA as untrusted.
The update would be a new certificate, and the old one would still be marked as untrusted (unless it was deleted by the update). Even if you mark the old one as untrusted the new one would work regardless (i.e. there's 5 Verisign root certs in Lion - 2x class 3s).
I doubt root cert updates are an update to the entire set (at least that's what I would hope) - less chance of breaking something else in the process.
Ehm ... I am not seeing this at all. I have marked the certificate as not trusted ever, and I get warnings no matter what on their site, whether they are using EV-SSL or not.
Seems to me there is going to be a growing demand for greater accountability in CAs. Does the protocol support requiring a certificate to be signed by two (or more) trusted CAs? Then even if one CA is hacked or spoofed into signing a bogus certificate, hopefully the other one hasn't been.
The line between how a browser or even a TLS library validates a certificate and what the protocol requires is blurry (you can do more than the TLS protocol itself needs you to do), but, no, you can't sign a cert with 2 CAs.
You could, however, have two certificates issued by different CAs signing the same public key. I'm not sure if the protocol requires the additional certificates to be part of the same chain, though.
Works for me on OSX 10.6.6 - disable DigiNotar in Keychain Access then attempt to visit the DigiNotar site over SSL at https://service.diginotar.nl/ - either fails outright or generate a certificate warning.
Slightly off topic but anyone knows how Opera has been handling this? I've searched around a bit and looked at Opera's cert settings and can't figure out if Opera has fixed this or not.
[1] http://www.tuaw.com/2011/09/01/how-to-get-rid-of-diginotar-d...