Hi, > I am not sure this is serious. Douglas' bug applies to X509 v1 CA certs, > which afaiui are rare.
> Gnutls is documented to not trust this type of certificates unless a > special flag is set, afaict the bug is about the fact that gnutls > distrusted them even if the flag was set. Even fixing this did not help > Douglas, since it would have required changing nss-ldap to pass the > flag. I do agree that this is rightfully a 'serious' bug and the fix should enter lenny. v1 CA certs are not that rare. The Globalsign root certificate is a v1 cert, and Globalsign is a major vendor of certificates. The problem is not really them being disabled by default but that the intended mechanism to enable them was broken, making it completely impossible to use the certificates in the intended way if you have a certificate authority using such a root cert. The fix in unstable is good and targeted, so I think it should be unblocked and migrated before the release. thanks, Thijs -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
