Re: [SECURITY] [DSA 1719-1] New gnutls13 packages fix certificate validation

[Florian Weimer <fw@deneb.enyo.de>]

* Thijs Kinkhorst:

> On sneon 14 Febrewaris 2009, Florian Weimer wrote:
>> > Our servers use commercial certificates, with "GTE CyberTrust Global
>> > Root" as the root certificate. It apparently is a v1 x509 certificate...
>>
>> It's uses 1024 bit RSA, it is more than ten years old, and GTE
>> Cybertrust does not exist anymore--GTE sold Cybertrust to Baltimore,
>> Baltimore was sucked in to Betrusted, and Betrusted was bought by
>> Verizon, so the key material is controlled by someone else these days.
>> (It does not matter that the self-signature uses RSA-MD5.)
>
> This may be true, but it is this certificate that is used as the root by for 
> example Terena, the association of all European NRENs, and hence are in use 
> by a very large part of the European academic community.
> http://www.terena.org/activities/scs/participants.html

Yuck. 8-(

> The certificate may be old, but this is unfortunately a given and
> hard to change.

Would you recommend to apply the X.509v1 hack (see the patch I linked
to) to lenny as well?