[pkg-lynx-maint] Bug#745835: lynx-cur: certificate revocation is not checked
Axel Beckert
abe at debian.org
Mon Apr 27 15:18:23 UTC 2015
Control: tag -1 - moreinfo + upstream
Control: severity -1 important
Hi Vincent,
Vincent Lefevre wrote:
> On 2015-04-27 14:49:15 +0200, Axel Beckert wrote:
> > Vincent Lefevre wrote:
> > > This problem still occurs. For a new testcase URL:
> > >
> > > lynx https://www.vinc17.net:4434/
> > >
> > > does not give an error, contrary to Firefox.
> >
> > JFTR: Works "fine" (i.e. without revocation warning) in Chromium
> > (42.0.2311.90-2), too. But I don't see such a bug report at
> > https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=chromium-browser
>
> Chromium is just crap and its maintainers do not care. See my bug
> report here (which is a part of the problem):
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745646
>
> The bug was closed without being fixed.
Depends likely on the point of view.
> > Can you please elaborate over which methods you expect lynx to check
> > the revocation or over which methods it can be checked, i.e. CRL or
> > OCSP?
>
> CRL might be OK if Debian has a way to get a complete CRLset.
> But I haven't seen one.
>
> So, OCSP (possibly OCSP must-staple) should really be implemented.
So this is basically an upstream feature request.
I don't think a feature request which you yourself phrase with
"should" validates RC-severity, even if it's a security related
feature. Hence downgrading the severity to "important".
Regards, Axel
--
,''`. | Axel Beckert <abe at debian.org>, http://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
More information about the pkg-lynx-maint
mailing list