On lun., 2011-08-29 at 20:24 -0700, Josh Triplett wrote:
> On Mon, Aug 29, 2011 at 08:32:40PM -0500, Raphael Geissert wrote:
> > On Monday 29 August 2011 20:19:11 Josh Triplett wrote:
> > > Does OpenSSL not have any facility for a system-wide revocation
> list?
> >
> > No, I already checked that back when the Comodo hack occurred.
> > Every application needs to manually load the revocation lists, just
> like they
> > need to manually check the trust chain and all the other
> this-should-all-be-
> > done-in-just-one-place things.
>
> I understand that they'd have to manually load the lists, but perhaps
> it
> would make sense to standardize a location from which they should load
> them? Does OpenSSL or GnuTLS have any concept of a "revocation store"
> format, similar to a "certificate store", or would this need some
> special-purpose custom format?
And it'd be nice if nss could share that store...
nss apps are more or less starting to use a {/etc/,~/.}pki/nssdb/ which
can be shared accross apps (though I only know about evolution using it
right now).
By the way, shouldn't this bug be clone to libnss3-1d (and maybe
iceweasel and icedove if they ship the certificates themselves)?
Regards,
--
Yves-Alexis
Attachment:
signature.asc
Description: This is a digitally signed message part