Simon Josefsson wrote:
Edward Allcutt <emall...@gleim.com> writes:
That's all very well, but it's a rather big change in functionality
for stable. I doubt it would be acceptable to patch all the relevant
apps which assume that their list of trusted CAs will actually be used
as such.
Right, and I don't think these applications should be patched for two
reasons:
1) That would open up for security problems.
Are there any problems other than trusting the V1 certs as CAs? Because
that's what the apps seem to expect.
2) The GnuTLS documentation and API has a flag to enable V1 CAs to be
valid as a CA root, and another flag to enable V1 CAs to be valid as
an intermediate CA cert. This implies the default is that the certs
are intended to be disallowed.
I see that as a reason to patch, not a reason not to patch.
--
Edward Allcutt
Network Operations
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
