Re: [SECURITY] [DSA 1719-1] New gnutls13 packages fix certificate validation
Hello,
Florian Weimer wrote:
>>I just built it; it seems to work fine.
>
> Thanks.
No problem. Do you plan to issue a new DSA that applies this patch to
etch's gnutls13?
> The usual problem with X.509v1 certificates: if you add something to
> the certificate store, assuming it's a server certificate, it turns
> into a CA certificate. This might be a problem in some cases.
But do you think anyone would still issue X.509v1 certificates?
To the best of my knowledge, most server certificates are short-lasting
(a few years) and all X.509v1 server certificates should have been
expired for long...
On the other hand, root certificates are supposed to be long-lasting (a
few tens of years), so it's not surprising that some very old root
certificates (including X.509v1 ones) are still in use...
Regards,
--
Nicolas Boullis
École Centrale Paris
Reply to: