[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

On Tue, Aug 30, 2011 at 10:49:04PM -0500, Raphael Geissert wrote:
> On Tuesday 30 August 2011 15:48:11 Mike Hommey wrote:
> > On Tue, Aug 30, 2011 at 09:58:18PM +0200, Yves-Alexis Perez wrote:
> > > On mar., 2011-08-30 at 12:29 -0500, Raphael Geissert wrote:
> > > > What I can't tell for sure from the documentation is whether OpenSSL
> > > > and GnuTLS do check the CRL's validity (signature and time.) It
> > > > doesn't seem like they do.
> > > > This is relevant if we were to ship them in ca-certificates.
> 
> Mike, without digging into the documentation I found this reference [2] 
> regarding NSS and its CRL support. Do you know if any of what is said on that 
> email has changed? namely how 'next update' dates are handled.
> 
> [2]http://www.mail-archive.com/mozilla-crypto@mozilla.org/msg00890.html

I think CRL handling is still mostly manual work. I don't know much more
though.

Mike
Reply to: