Bug#514807: Regression in libgnutls security update

Edward Allcutt emallcut at gleim.com
Thu Feb 12 15:00:06 UTC 2009

Florian Weimer wrote:
> * Edward Allcutt:
>> I believe this is a significant regression in stable because at least
>> one widely used CA (godaddy) still issues certificates with a chain
>> ending in a v1 root (ValiCert Class 2).
> Are we talking about this certificate?
>         Subject: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 2 Policy Validation Authority, CN=http://www.valicert.com//emailAddress=info@valicert.com
That's the one.

> It's not just a X.509v1 certificate.  It's ten years old, it's just
> 1024 bits, and ValiCert does not exist anymore as an organization
> (thus the DN is invalid).
I'm not any happier about it than you are, but it seems godaddy are 
still issuing certs using that root.

> Simon, could we make the harmless variant (X.509v1 certificate set as
> trusted is accepted as a root CA, but intermediate X.509v1
> certificates aren't accepted) the default in etch?
>> Godaddy appears to have a newer v3 root but I don't know how widely
>> deployed this is. It is not in the etch ca-certificates package for
>> example.
> Which root are you referring to?
They're all available at https://certs.godaddy.com/Repository.go.

The main new one seems to be "Go Daddy Class 2 CA" which is in lenny 
ca-certificates as 

The other new one is "Starfield Services" which is in lenny 
ca-certificates as 

Neither of these are in etch, and in fact neither of them seem to have 
the critical flag set for their "X509v3 Basic Constraints", which I've 
seen mentioned as an issue in other bug reports.

Edward Allcutt
Network Operations

More information about the Pkg-gnutls-maint mailing list