On mar., 2011-09-06 at 07:33 +0200, Mike Hommey wrote: > On Mon, Sep 05, 2011 at 09:55:50PM +0200, Kurt Roeckx wrote: > > On Mon, Sep 05, 2011 at 02:15:31PM -0500, Raphael Geissert wrote: > > > On Sunday 04 September 2011 05:55:27 Kurt Roeckx wrote: > > > > On Sun, Sep 04, 2011 at 12:02:48PM +0200, Kurt Roeckx wrote: > > > > > Their is also openssl-blacklist, but it doesn't seem to have > > > > > much users. > > > > > > However, opensl-blacklist only includes a program that checks wether a > > > certificate is weak, nothing in it AFAICS actually blocks them. It's basically > > > useless for this case. > > > > It could theoreticly also be used to block any certificate if > > we'd know the public key. But I agree it's useless for this case. > > Actually, if it was used at all levels of the cert chain, we could block > the CA certificates we want. And we do know their public key, contrary > to the rogue certs. > In case this was missed: http://www.f-secure.com/weblog/archives/00002231.html (sorry, pastebin seems to be under attack right now or slashdotted right now, so http://pastebin.com/u/ComodoHacker is unavailable) Regards, -- Yves-Alexis
Attachment:
signature.asc
Description: This is a digitally signed message part