-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

   6 September 2011

   You should upgrade to Firefox 3.6.22 or Firefox 6.0.2 in order to be
   protected against the DigiNotar CA certificates which are assumed to be
   compromised.

   These versions include the certificates that are mentioned in my blog
   post at:
   https://kuix.de/blog/index.php?entry=NSS-changes-to-address-the-DigiNot
   ar-incident

   However, if for any reason, you are not (yet) able to upgrade, here is
   a workaround to at least get the changes we made to NSS (The newer
   applications will change some certificate errors from untrusted to
   revoked (in particular those issued on or after July 1), which cannot
   be overriden by exceptions. The procedure explained below will give you
   untrusted treatment for these certificates, only, which should still be
   helpful.)

   You must repeat the following actions for each
   Firefox/Thunderbird/SeaMonkey profile.

   Click each of the following links:
     * https://kuix.de/q/knockout20110906/1.php
     * https://kuix.de/q/knockout20110906/2.php
     * https://kuix.de/q/knockout20110906/3.php
     * https://kuix.de/q/knockout20110906/4.php
     * https://kuix.de/q/knockout20110906/5.php
     * https://kuix.de/q/knockout20110906/6.php

   Each time you will be presented with a dialog. You will be asked to
   apply trust. DO NOT ADD TRUST. Checkboxes should remain NOT CHECKED.
   Click OK for each of them. This procedure will import the 6 knockout
   certificates, overriding the older ones which are trusted.

   Because you cannot download these with Thunderbird, use the following
   links to download and save these certificates:
     * https://kuix.de/q/knockout20110906/1.der
     * https://kuix.de/q/knockout20110906/2.der
     * https://kuix.de/q/knockout20110906/3.der
     * https://kuix.de/q/knockout20110906/4.der
     * https://kuix.de/q/knockout20110906/5.der
     * https://kuix.de/q/knockout20110906/6.der

   Then go to Thunderbird preferences, advanced, encryption, view
   certificates, authorities, and use the "import" feature 6 times, once
   for each of the certificates. Again, make sure you DO NOT check any
   checkboxes, simply click OK.

   Kai Engert
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk5mWHcACgkQdUk7WZN5lQ74DQCgjbusPlZyQscV9y3M/gfYoX2J
wwsAoIEn4GGZiU7ddAvNZtxl181XtgNr
=7mOk
-----END PGP SIGNATURE-----