Bug#639744: [Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
On Mon, Sep 05, 2011 at 09:55:50PM +0200, Kurt Roeckx wrote:
> On Mon, Sep 05, 2011 at 02:15:31PM -0500, Raphael Geissert wrote:
> > On Sunday 04 September 2011 05:55:27 Kurt Roeckx wrote:
> > > On Sun, Sep 04, 2011 at 12:02:48PM +0200, Kurt Roeckx wrote:
> > > > Their is also openssl-blacklist, but it doesn't seem to have
> > > > much users.
> > However, opensl-blacklist only includes a program that checks wether a
> > certificate is weak, nothing in it AFAICS actually blocks them. It's basically
> > useless for this case.
> It could theoreticly also be used to block any certificate if
> we'd know the public key. But I agree it's useless for this case.
Actually, if it was used at all levels of the cert chain, we could block
the CA certificates we want. And we do know their public key, contrary
to the rogue certs.