On 12/12/2011 01:23 PM, Sergei Zhirikov wrote: > Hi, > > I believe there is a problem with the instructions to install CA certificates: > http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cacerts.html > > The script that extract certificates from Mozilla's certdata.txt explicitly > rejects only certificates that have CKA_TRUST_SERVER_AUTH set to > CKT_NETSCAPE_TRUST_UNKNOWN, which is kind of pointless, because: > > $ grep ^CKA_TRUST_SERVER_AUTH certdata.txt | sort -u > CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED > CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR > CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN > > There is no "CKT_NETSCAPE_TRUST_UNKNOWN", but there is > "CKT_NSS_TRUST_UNKNOWN". And there is also "CKT_NSS_NOT_TRUSTED". > So it looks like the script extracts all the certificates, including those > explicitly distrusted by Mozilla. > > Also, it seems a bit strange that only CKA_TRUST_SERVER_AUTH is checked, > because certificates can be used for things other than server authentication > (although I don't know if there are any certificates on the list that have > different trust level for different purposes). > > -- > Kind Regards, > Sergei. > Yes, it looks like they changed things upstream. We'll get on it ASAP.
Thanks for the report. -- DJ Lucas -- This message has been scanned for viruses and dangerous content, and is believed to be clean. -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
