Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
On Mon, Aug 29, 2011 at 08:32:40PM -0500, Raphael Geissert wrote:
> On Monday 29 August 2011 20:19:11 Josh Triplett wrote:
> > Does OpenSSL not have any facility for a system-wide revocation list?
> No, I already checked that back when the Comodo hack occurred.
> Every application needs to manually load the revocation lists, just like they
> need to manually check the trust chain and all the other this-should-all-be-
> done-in-just-one-place things.
I understand that they'd have to manually load the lists, but perhaps it
would make sense to standardize a location from which they should load
them? Does OpenSSL or GnuTLS have any concept of a "revocation store"
format, similar to a "certificate store", or would this need some
special-purpose custom format?
- Josh Triplett