[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 1719-1] New gnutls13 packages fix certificate validation

Hello,

Florian Weimer wrote:
>>I just built it; it seems to work fine.
> 
> Thanks.

No problem. Do you plan to issue a new DSA that applies this patch to
etch's gnutls13?


> The usual problem with X.509v1 certificates: if you add something to
> the certificate store, assuming it's a server certificate, it turns
> into a CA certificate.  This might be a problem in some cases.

But do you think anyone would still issue X.509v1 certificates?
To the best of my knowledge, most server certificates are short-lasting
(a few years) and all X.509v1 server certificates should have been
expired for long...
On the other hand, root certificates are supposed to be long-lasting (a
few tens of years), so it's not surprising that some very old root
certificates (including X.509v1 ones) are still in use...


Regards,

-- 
Nicolas Boullis
École Centrale Paris
Reply to: