Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

[Josh Triplett <josh@joshtriplett.org>]

On Mon, Aug 29, 2011 at 08:09:02PM -0500, Raphael Geissert wrote:
> On Monday 29 August 2011 16:03:57 Josh Triplett wrote:
> > Whatever resolution Mozilla and others end up with (revocation of the
> > certificate or of the entire CA), ca-certificates will likely need to
> > do the same.
> 
> FWIW, individual certificates can't be "revoked" in ca-certificates.
> Shipping revocation lists is useless too.

Does OpenSSL not have any facility for a system-wide revocation list?

Fortunately, in this case, the resolution involves disabling the
DigiNotar Root CA entirely, which ca-certificates can do.

- Josh Triplett