On Monday 29 August 2011 20:19:11 Josh Triplett wrote: > Does OpenSSL not have any facility for a system-wide revocation list?
No, I already checked that back when the Comodo hack occurred. Every application needs to manually load the revocation lists, just like they need to manually check the trust chain and all the other this-should-all-be- done-in-just-one-place things. (I only checked OpenSSL and GnuTLS, don't know about other implementations.) > Fortunately, in this case, the resolution involves disabling the > DigiNotar Root CA entirely, which ca-certificates can do. Yep, this case can nicely be handled by ca-certificates. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
