On Wed, Sep 07, 2011 at 06:23:18PM +0200, Kurt Roeckx wrote: > On Wed, Sep 07, 2011 at 10:57:51AM -0500, Raphael Geissert wrote: > > [Kurt, please CC me on your replies. The BTS' -subscribe functionality > > doesn't > > seem to be working] > > [CC'ing ubuntu sec, in case Kees or Jamie or whoever is taking care of the > > issue is also working on something to completely block DigiNotar] > > > > On Monday 05 September 2011 14:55:50 Kurt Roeckx wrote: > > > On Mon, Sep 05, 2011 at 02:15:31PM -0500, Raphael Geissert wrote: > > > > The only currently supported methods are OCSP and CRL, but none would do > > > > the trick in this case. > > > > > > I guess OCSP/CRL is only called for the top most certificate, and all > > > the CAs in the chain aren't checked in most applications. I thought > > > I read Entrust revoked their signature, and in theory that should > > > be enough. > > > > As long as the client becomes aware of that revocation, yes. > > DigiNotar's PKIOverheid CA also needs to be blocked. I don't remember > > reading > > any report of the gov already revoking it. > > There was a new update of firefox today that removed an other > certificate.
It corresponds to the second nss upload in Debian. (DSA-2300-2) Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
