[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

On lun., 2011-08-29 at 20:24 -0700, Josh Triplett wrote:
> On Mon, Aug 29, 2011 at 08:32:40PM -0500, Raphael Geissert wrote:
> > On Monday 29 August 2011 20:19:11 Josh Triplett wrote:
> > > Does OpenSSL not have any facility for a system-wide revocation
> list?
> > 
> > No, I already checked that back when the Comodo hack occurred.
> > Every application needs to manually load the revocation lists, just
> like they 
> > need to manually check the trust chain and all the other
> this-should-all-be-
> > done-in-just-one-place things.
> I understand that they'd have to manually load the lists, but perhaps
> it
> would make sense to standardize a location from which they should load
> them?  Does OpenSSL or GnuTLS have any concept of a "revocation store"
> format, similar to a "certificate store", or would this need some
> special-purpose custom format? 

And it'd be nice if nss could share that store...

nss apps are more or less starting to use a {/etc/,~/.}pki/nssdb/ which
can be shared accross apps (though I only know about evolution using it
right now).

By the way, shouldn't this bug be clone to libnss3-1d (and maybe
iceweasel and icedove if they ship the certificates themselves)?



Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: