On Tue, April 1, 2014 08:57, Klaus Ethgen wrote: > Hmmm, for some reason someone changed the certificte of bugs.debian.org > to a unknown certificate issuer so "bts show" does not work anymore. Who > the hell is GANDI CA?
You're kidding right, maybe because of the date? The Gandi CA is signed by the UTN Userfirst root CA which is in ca-certificates. Your whole argument revolves around the fact that a certificate must be in ca-certificates for you to be able to use/trust it. However, if the BTS uses a CA that is actually included in ca-certificates, you throw up your arms in the air? I'm really at a loss here. > No, it's a wget problem that you can only specify to not check any > certificate or check any (--no-check-certificate). There is no way to > only skip this particular certificate from one side. There is. How to add certificates to the trusted store is documented in ca-certificates and has also been explained in this bug. > I just gave the examples I use on a daily base. For normal users there > are similar programs. However, I saw also mutt users that just gave a > fuck about the fingerprint they are provided with and just accepted it. I agree that these users exist. However, if they accept anything, then they are by definition not influenced by what is in ca-certificates or not. Any attacker will already be able to control their connection. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
