Bug#639744: [Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

To: "Package Development List for OpenSSL packages." <pkg-openssl-devel@lists.alioth.debian.org>
Cc: Mike Hommey <mh@glandium.org>, Yves-Alexis Perez <corsac@debian.org>, openssl@packages.debian.org, Josh Triplett <josh@joshtriplett.org>, 639744@bugs.debian.org
Subject: Bug#639744: [Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sun, 4 Sep 2011 12:55:27 +0200
Message-id: <[🔎] 20110904105527.GA26486@roeckx.be>
Reply-to: Kurt Roeckx <kurt@roeckx.be>, 639744@bugs.debian.org
In-reply-to: <[🔎] 20110904100248.GA25878@roeckx.be>
References: <20110829210357.26233.13731.reportbug@leaf> <[🔎] 20110903054023.GA3559@glandium.org> <[🔎] 20110903064522.GA4715@glandium.org> <[🔎] 201109040137.21574.geissert@debian.org> <[🔎] 20110904100248.GA25878@roeckx.be>

On Sun, Sep 04, 2011 at 12:02:48PM +0200, Kurt Roeckx wrote:
> On Sun, Sep 04, 2011 at 01:37:19AM -0500, Raphael Geissert wrote:
> > 
> > Seems like it would be better if we also handled the issue at the libssl 
> > level. OpenSSL maintainers: does that sound doable?
> 
> I'm not sure what you mean.  We don't provide any certificates,
> you need to tell openssl which certs to use, which can be a file
> or directory.  There are certificates provided by ca-certificates,
> which is probably what most people would use and afaik the DigiNotar
> CA got dropped from it.
> 
> Their is also openssl-blacklist, but it doesn't seem to have
> much users.

After having read the bug report, I think we need to have a way
to say that we don't trust a CA, or have a concept for which
things we do trust a CA.  I think NSS has this concept, but
openssl or ca-certificates clearly can't express this currently.

An other way of saying the same thing  would be to be able to
blacklist a CA.  The openssl-blacklist only contains a list of
blocked certificates, but nothing in it now checks the trust
path to see if it's used anywhere in the chain.

If we want to add something, it would be nice if all SSL/TLS
libraries could do that.  As far as I know, this currently
includes:
- openssl
- gnutls
- nss
- polarssl

I think I'm forgetting something for java.  And have the feeling
I still forget something else.

Kurt

Reply to:

Follow-Ups:
- Bug#639744: [Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Raphael Geissert <geissert@debian.org>

References:
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Mike Hommey <mh@glandium.org>
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Mike Hommey <mh@glandium.org>
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Raphael Geissert <geissert@debian.org>
- Bug#639744: [Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: Bug#639744: [Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Next by Date: Bug#466920: marked as done (cdcd: segfaults with 'rndplay' if no disc in drive)
Previous by thread: Bug#639744: [Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Next by thread: Bug#639744: [Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Index(es):
- Date
- Thread