Bug#514807: Regression in libgnutls security update

[Florian Weimer]

* Simon Josefsson:

>> and the DN doesn't really matter, either.
>
> The SubjectDN of the CA needs to match the IssuerDN of the next cert in
> the chain.

I meant it in the sense that no root certificates are revoked after
the DN has become invalid because the denoted legal entity has ceased
to exist, or someone else has gained access to (or full control over)
the key material.