On Thu, Jan 29, 2009 at 07:31:00PM +0100, Andreas Metzler wrote: > I am not sure this is serious. Douglas' bug applies to X509 v1 CA certs, > which afaiui are rare. > http://news.gmane.org/find-root.php?message_id=%3c20090110155632.10ba0626%40nmav%2deee%3e
> Gnutls is documented to not trust this type of certificates unless a > special flag is set, afaict the bug is about the fact that gnutls > distrusted them even if the flag was set. Even fixing this did not help > Douglas, since it would have required changing nss-ldap to pass the > flag. Ok. If you don't think it's serious, by all means re-downgrade it. I would think this should be fixed before lenny release, though, given that there are still some commonly-recognized V1 CAs. > Douglas later posted a feature enhancement patch that makes GnuTLS > stop when an intermediate CA cert is found on the trusted CA > list. > http://news.gmane.org/find-root.php?message_id=%3c496BA38D.90104%40anl.gov%3e Right. Since at that point he's dealing with creating his own top-level CA, one wonders why they don't issue a self-signed cert for their CA and truncate the chain that way? Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
