Re: ca-certificates 2014.2.1 will remove several still valid CA certificates with weak keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2014-10-31 at 16:11 +0100, Reindl Harald wrote:

> > Are you sure that this is the case with the current package? My F21 can
> > no longer connect to network to test, but gnutls in it should
> > reconstruct the chain similarly to what nss does (not very similarly to
> > be precise but the end result should be the same). If it is not the case
> > please report it as bug and I'll check it out.
> 
> the point is that if somebody buys a certificate for 6 years he may have 
> a checklist when to change them and if some 3rd party decides to remove 
> the CA certificate -> game over for users of that 3rd party
> 
> from where will you "reconstruct the chain"?
> * webserver a) has a certificate for 6 years
> * the issuer is CA b) which you remove

I'm also not particularly fond of this approach as it adds complexity to
an otherwise very complex protocol. However, in gnutls an alternative
certificate path is calculated if there is a trusted certificate which
has the same name as the issuer of a CA certificate in the path, and it
also has the same key.

This is the particular case that Kai refers to. For example in that
case, a verisign intermediate certificate was removed, and replaced with
a root CA certificate, that has the same DN, and the same key.

regards,
Nikos


-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux