On Tuesday 30 August 2011 15:48:11 Mike Hommey wrote: > On Tue, Aug 30, 2011 at 09:58:18PM +0200, Yves-Alexis Perez wrote: > > On mar., 2011-08-30 at 12:29 -0500, Raphael Geissert wrote: > > > What I can't tell for sure from the documentation is whether OpenSSL > > > and GnuTLS do check the CRL's validity (signature and time.) It > > > doesn't seem like they do. > > > This is relevant if we were to ship them in ca-certificates.
Mike, without digging into the documentation I found this reference [2] regarding NSS and its CRL support. Do you know if any of what is said on that email has changed? namely how 'next update' dates are handled. [2]http://www.mail-archive.com/mozilla-crypto@mozilla.org/msg00890.html > > > Yves, do you know how the CRL stuff is handled in nss? > > > > (my first name is Yves-Alexis :) Oops, sorry. Please accept my apologies. > That being said, there is a huge problem with mitigation in basically > all the SSL libraries. There simply is no way to handle the current > situation[1] without modifying applications. [...] > 1. Several fraudulent certificates whose fingerprint is unknown signed > with several different intermediate certs that are cross-signed by other > "safe" CAs (aiui). Oh. Well, first thing first, I've NMUed ca-certs to remove the DigiNotar Root CA and will probably release a DSA with the change too (I'm afraid it will give a false sense of security.) What is to be done next should probably be discussed in -devel and have input from external people. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
