On lun., 2011-08-29 at 20:24 -0700, Josh Triplett wrote: > On Mon, Aug 29, 2011 at 08:32:40PM -0500, Raphael Geissert wrote: > > On Monday 29 August 2011 20:19:11 Josh Triplett wrote: > > > Does OpenSSL not have any facility for a system-wide revocation > list? > > > > No, I already checked that back when the Comodo hack occurred. > > Every application needs to manually load the revocation lists, just > like they > > need to manually check the trust chain and all the other > this-should-all-be- > > done-in-just-one-place things. > > I understand that they'd have to manually load the lists, but perhaps > it > would make sense to standardize a location from which they should load > them? Does OpenSSL or GnuTLS have any concept of a "revocation store" > format, similar to a "certificate store", or would this need some > special-purpose custom format? And it'd be nice if nss could share that store... nss apps are more or less starting to use a {/etc/,~/.}pki/nssdb/ which can be shared accross apps (though I only know about evolution using it right now). By the way, shouldn't this bug be clone to libnss3-1d (and maybe iceweasel and icedove if they ship the certificates themselves)? Regards, -- Yves-Alexis
Attachment:
signature.asc
Description: This is a digitally signed message part