[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

On Monday 29 August 2011 20:19:11 Josh Triplett wrote:
> Does OpenSSL not have any facility for a system-wide revocation list?

No, I already checked that back when the Comodo hack occurred.
Every application needs to manually load the revocation lists, just like they 
need to manually check the trust chain and all the other this-should-all-be-
done-in-just-one-place things.

(I only checked OpenSSL and GnuTLS, don't know about other implementations.)

> Fortunately, in this case, the resolution involves disabling the
> DigiNotar Root CA entirely, which ca-certificates can do.

Yep, this case can nicely be handled by ca-certificates.

Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Reply to: