[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

On Tuesday 30 August 2011 15:48:11 Mike Hommey wrote:
> On Tue, Aug 30, 2011 at 09:58:18PM +0200, Yves-Alexis Perez wrote:
> > On mar., 2011-08-30 at 12:29 -0500, Raphael Geissert wrote:
> > > What I can't tell for sure from the documentation is whether OpenSSL
> > > and GnuTLS do check the CRL's validity (signature and time.) It
> > > doesn't seem like they do.
> > > This is relevant if we were to ship them in ca-certificates.

Mike, without digging into the documentation I found this reference [2] 
regarding NSS and its CRL support. Do you know if any of what is said on that 
email has changed? namely how 'next update' dates are handled.


> > > Yves, do you know how the CRL stuff is handled in nss?
> > 
> > (my first name is Yves-Alexis :)

Oops, sorry. Please accept my apologies.

> That being said, there is a huge problem with mitigation in basically
> all the SSL libraries. There simply is no way to handle the current
> situation[1] without modifying applications.
> 1. Several fraudulent certificates whose fingerprint is unknown signed
> with several different intermediate certs that are cross-signed by other
> "safe" CAs (aiui).

Oh. Well, first thing first, I've NMUed ca-certs to remove the DigiNotar Root CA 
and will probably release a DSA with the change too (I'm afraid it will give a 
false sense of security.)

What is to be done next should probably be discussed in -devel and have input 
from external people.

Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Reply to: