Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
On Monday 29 August 2011 20:19:11 Josh Triplett wrote:
> Does OpenSSL not have any facility for a system-wide revocation list?
No, I already checked that back when the Comodo hack occurred.
Every application needs to manually load the revocation lists, just like they
need to manually check the trust chain and all the other this-should-all-be-
(I only checked OpenSSL and GnuTLS, don't know about other implementations.)
> Fortunately, in this case, the resolution involves disabling the
> DigiNotar Root CA entirely, which ca-certificates can do.
Yep, this case can nicely be handled by ca-certificates.
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net