Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

To: Josh Triplett <josh@joshtriplett.org>
Cc: 639744@bugs.debian.org
Subject: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
From: Raphael Geissert <geissert@debian.org>
Date: Mon, 29 Aug 2011 20:32:40 -0500
Message-id: <[🔎] 201108292032.42755.geissert@debian.org>
Reply-to: Raphael Geissert <geissert@debian.org>, 639744@bugs.debian.org
In-reply-to: <[🔎] 20110830011911.GA7304@leaf>
References: <[🔎] 20110829210357.26233.13731.reportbug@leaf> <[🔎] 201108292009.05392.geissert@debian.org> <[🔎] 20110830011911.GA7304@leaf>

On Monday 29 August 2011 20:19:11 Josh Triplett wrote:
> Does OpenSSL not have any facility for a system-wide revocation list?

No, I already checked that back when the Comodo hack occurred.
Every application needs to manually load the revocation lists, just like they 
need to manually check the trust chain and all the other this-should-all-be-
done-in-just-one-place things.

(I only checked OpenSSL and GnuTLS, don't know about other implementations.)

> Fortunately, in this case, the resolution involves disabling the
> DigiNotar Root CA entirely, which ca-certificates can do.

Yep, this case can nicely be handled by ca-certificates.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Reply to:

Follow-Ups:
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Josh Triplett <josh@joshtriplett.org>

References:
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Josh Triplett <josh@joshtriplett.org>
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Raphael Geissert <geissert@debian.org>
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Josh Triplett <josh@joshtriplett.org>

Prev by Date: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Next by Date: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Previous by thread: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Next by thread: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Index(es):
- Date
- Thread