[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

On Mon, Aug 29, 2011 at 08:32:40PM -0500, Raphael Geissert wrote:
> On Monday 29 August 2011 20:19:11 Josh Triplett wrote:
> > Does OpenSSL not have any facility for a system-wide revocation list?
> 
> No, I already checked that back when the Comodo hack occurred.
> Every application needs to manually load the revocation lists, just like they 
> need to manually check the trust chain and all the other this-should-all-be-
> done-in-just-one-place things.

I understand that they'd have to manually load the lists, but perhaps it
would make sense to standardize a location from which they should load
them?  Does OpenSSL or GnuTLS have any concept of a "revocation store"
format, similar to a "certificate store", or would this need some
special-purpose custom format?

- Josh Triplett
Reply to: