[Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Mike Hommey
mh at glandium.org
Wed Sep 7 16:26:57 UTC 2011
On Wed, Sep 07, 2011 at 06:23:18PM +0200, Kurt Roeckx wrote:
> On Wed, Sep 07, 2011 at 10:57:51AM -0500, Raphael Geissert wrote:
> > [Kurt, please CC me on your replies. The BTS' -subscribe functionality doesn't
> > seem to be working]
> > [CC'ing ubuntu sec, in case Kees or Jamie or whoever is taking care of the
> > issue is also working on something to completely block DigiNotar]
> >
> > On Monday 05 September 2011 14:55:50 Kurt Roeckx wrote:
> > > On Mon, Sep 05, 2011 at 02:15:31PM -0500, Raphael Geissert wrote:
> > > > The only currently supported methods are OCSP and CRL, but none would do
> > > > the trick in this case.
> > >
> > > I guess OCSP/CRL is only called for the top most certificate, and all
> > > the CAs in the chain aren't checked in most applications. I thought
> > > I read Entrust revoked their signature, and in theory that should
> > > be enough.
> >
> > As long as the client becomes aware of that revocation, yes.
> > DigiNotar's PKIOverheid CA also needs to be blocked. I don't remember reading
> > any report of the gov already revoking it.
>
> There was a new update of firefox today that removed an other
> certificate.
It corresponds to the second nss upload in Debian. (DSA-2300-2)
Mike
More information about the Pkg-openssl-devel
mailing list