[Pkg-openssl-devel] Bug#639744: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Yves-Alexis Perez
corsac at debian.org
Tue Sep 6 07:28:35 UTC 2011
On mar., 2011-09-06 at 07:33 +0200, Mike Hommey wrote:
> On Mon, Sep 05, 2011 at 09:55:50PM +0200, Kurt Roeckx wrote:
> > On Mon, Sep 05, 2011 at 02:15:31PM -0500, Raphael Geissert wrote:
> > > On Sunday 04 September 2011 05:55:27 Kurt Roeckx wrote:
> > > > On Sun, Sep 04, 2011 at 12:02:48PM +0200, Kurt Roeckx wrote:
> > > > > Their is also openssl-blacklist, but it doesn't seem to have
> > > > > much users.
> > >
> > > However, opensl-blacklist only includes a program that checks wether a
> > > certificate is weak, nothing in it AFAICS actually blocks them. It's basically
> > > useless for this case.
> >
> > It could theoreticly also be used to block any certificate if
> > we'd know the public key. But I agree it's useless for this case.
>
> Actually, if it was used at all levels of the cert chain, we could block
> the CA certificates we want. And we do know their public key, contrary
> to the rogue certs.
>
In case this was missed:
http://www.f-secure.com/weblog/archives/00002231.html
(sorry, pastebin seems to be under attack right now or slashdotted right
now, so http://pastebin.com/u/ComodoHacker is unavailable)
Regards,
--
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20110906/19e138b1/attachment-0001.pgp>
More information about the Pkg-openssl-devel
mailing list