Bug#639744: [Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

To: Kurt Roeckx <kurt@roeckx.be>
Cc: Raphael Geissert <geissert@debian.org>, openssl@packages.debian.org, security@ubuntu.com, Yves-Alexis Perez <corsac@debian.org>, Josh Triplett <josh@joshtriplett.org>, 639744@bugs.debian.org
Subject: Bug#639744: [Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
From: Mike Hommey <mh@glandium.org>
Date: Wed, 7 Sep 2011 18:26:57 +0200
Message-id: <[🔎] 20110907162657.GA16860@glandium.org>
Reply-to: Mike Hommey <mh@glandium.org>, 639744@bugs.debian.org
In-reply-to: <[🔎] 20110907162318.GA15256@roeckx.be>
References: <20110829210357.26233.13731.reportbug@leaf> <[🔎] 201109051415.33296.geissert@debian.org> <[🔎] 20110905195550.GA32185@roeckx.be> <[🔎] 201109071057.53570.geissert@debian.org> <[🔎] 20110907162318.GA15256@roeckx.be>

On Wed, Sep 07, 2011 at 06:23:18PM +0200, Kurt Roeckx wrote:
> On Wed, Sep 07, 2011 at 10:57:51AM -0500, Raphael Geissert wrote:
> > [Kurt, please CC me on your replies. The BTS' -subscribe functionality doesn't 
> > seem to be working]
> > [CC'ing ubuntu sec, in case Kees or Jamie or whoever is taking care of the 
> > issue is also working on something to completely block DigiNotar]
> > 
> > On Monday 05 September 2011 14:55:50 Kurt Roeckx wrote:
> > > On Mon, Sep 05, 2011 at 02:15:31PM -0500, Raphael Geissert wrote:
> > > > The only currently supported methods are OCSP and CRL, but none would do
> > > > the trick in this case.
> > > 
> > > I guess OCSP/CRL is only called for the top most certificate, and all
> > > the CAs in the chain aren't checked in most applications.  I thought
> > > I read Entrust revoked their signature, and in theory that should
> > > be enough.
> > 
> > As long as the client becomes aware of that revocation, yes.
> > DigiNotar's PKIOverheid CA also needs to be blocked. I don't remember reading 
> > any report of the gov already revoking it.
> 
> There was a new update of firefox today that removed an other
> certificate.

It corresponds to the second nss upload in Debian. (DSA-2300-2)

Mike

Reply to:

References:
- Bug#639744: [Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Raphael Geissert <geissert@debian.org>
- Bug#639744: [Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Kurt Roeckx <kurt@roeckx.be>
- Bug#639744: [Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Raphael Geissert <geissert@debian.org>
- Bug#639744: [Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: Bug#639744: [Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Next by Date: Bug#193061: adopting lgeneral?
Previous by thread: Bug#639744: [Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Next by thread: Bug#639744: [Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Index(es):
- Date
- Thread