[Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

Kurt Roeckx kurt at roeckx.be
Sun Sep 4 10:55:27 UTC 2011


On Sun, Sep 04, 2011 at 12:02:48PM +0200, Kurt Roeckx wrote:
> On Sun, Sep 04, 2011 at 01:37:19AM -0500, Raphael Geissert wrote:
> > 
> > Seems like it would be better if we also handled the issue at the libssl 
> > level. OpenSSL maintainers: does that sound doable?
> 
> I'm not sure what you mean.  We don't provide any certificates,
> you need to tell openssl which certs to use, which can be a file
> or directory.  There are certificates provided by ca-certificates,
> which is probably what most people would use and afaik the DigiNotar
> CA got dropped from it.
> 
> Their is also openssl-blacklist, but it doesn't seem to have
> much users.

After having read the bug report, I think we need to have a way
to say that we don't trust a CA, or have a concept for which
things we do trust a CA.  I think NSS has this concept, but
openssl or ca-certificates clearly can't express this currently.

An other way of saying the same thing  would be to be able to
blacklist a CA.  The openssl-blacklist only contains a list of
blocked certificates, but nothing in it now checks the trust
path to see if it's used anywhere in the chain.

If we want to add something, it would be nice if all SSL/TLS
libraries could do that.  As far as I know, this currently
includes:
- openssl
- gnutls
- nss
- polarssl

I think I'm forgetting something for java.  And have the feeling
I still forget something else.


Kurt




More information about the Pkg-openssl-devel mailing list