<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div><span>Yes, looking at the screen shot I took, CertWatch was informing me that a new root certificate was found. So I did have a good reason to be alarmed at the contradictory data in the certs. Firefox must have marked the certs as un-verifiable. I apologize for the mis-communication; I've been moving very fast lately so the series of pop-ups were essentially a delay to me getting back into my browser.<br></span></div><div><br></div><div>The Debian patches for actively distrusting the DigiNotar certs just hit Ubuntu.</div><div><br></div><div><br><span></span></div><div><br></div><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><font size="2" face="Arial"><hr size="1"><b><span style="font-weight:
bold;">From:</span></b> Rick Moen <rick@linuxmafia.com><br><b><span style="font-weight: bold;">To:</span></b> conspire@linuxmafia.com<br><b><span style="font-weight: bold;">Sent:</span></b> Friday, September 9, 2011 11:39 AM<br><b><span style="font-weight: bold;">Subject:</span></b> Re: [conspire] Comodo-signed bogosity (was: DigiNotar Damage Disclosure)<br></font><br>Quoting Adrien Lamothe (<a ymailto="mailto:alamozzz@yahoo.com" href="mailto:alamozzz@yahoo.com">alamozzz@yahoo.com</a>):<br><br>> Right. So, the problem on my end was:<br>> <br>> 1. I update Firefox.<br>> 2. Upon restarting Firefox, CertWatch informs me it wants to update certificates.<br><br>Huh. This seems unfamiliar to me, from my brief usage of the CertWatch /<br>Certificate Watch extension for Firefox. (There's an entirely different<br>CertWatch you'll find in Web searching, a cronjob that periodically<br>checks
installed SSL certs inside your Web server to spot any that are<br>nearing expiration.)<br><br>As the docs and third-party articles (such as<br><a href="http://simos.info/blog/archives/1179" target="_blank">http://simos.info/blog/archives/1179</a>) say, the first time I started<br>Firefox (Iceweasel) after installing the CertWatch extension, there was<br>a delay of some seconds while it parsed the 150-odd root certs and wrote<br>information about them into SQLite, but I can't remember ever seeing <br>CertWatch tell me it 'wants to update certificates'. (Actually, I'm not <br>even sure what that phrase means in this context. What would CertWatch<br>have to do with 'updating certificates'? CertWatch doesn't fetch or<br>update certificates; it merely lets you know whenever a root cert,<br>intermediate signature, or site SSL certificate first comes to its<br>attention _or changes_.)<br><br>> 3. CertWatch then proceeds
to pop up a procession of<br>> windows, each with cert data, each with "OK" and "Cancel" buttons.<br><br>This _sounds_ like the displays it pops up when a root cert /<br>intermediate signature / site SSL certificate first comes to CertWatch's<br>attention (or changes).<br><br><br>> 4. I see contradictory information in the cert data. But I<br>> trust that CertWatch knows what it is doing (which it did.) However,<br>> CertWatch doesn't tell me it is de-verifying those certs, merely that<br>> it is updating them.<br><br>Again, I don't get it: CertWatch doesn't 'de-verify' or 'update'<br>anything (except it does quietly update its own records in SQLite). It<br>merely informs you about cert changes / new-to-it SSL stuff.<br><br>However, when you say 'updating', you may be referring to CertWatch<br>popping up a dialogue saying (paraphrased) 'You've just loaded a page<br>attested by this SSL thingie that I've
never seen before (or has<br>changed).'<br><br>> Perhaps CertWatch should add a notation during update notification, as<br>> to the nature of the update.<br><br>I'm really sorry, but I have no idea what 'update' you are talking<br>about.<br><br><br>_______________________________________________<br>conspire mailing list<br><a ymailto="mailto:conspire@linuxmafia.com" href="mailto:conspire@linuxmafia.com">conspire@linuxmafia.com</a><br><a href="http://linuxmafia.com/mailman/listinfo/conspire" target="_blank">http://linuxmafia.com/mailman/listinfo/conspire</a><br><br><br></div></div></div></body></html>