* Edward Allcutt:
> I believe this is a significant regression in stable because at least
> one widely used CA (godaddy) still issues certificates with a chain
> ending in a v1 root (ValiCert Class 2).
Are we talking about this certificate?
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert
Class 2 Policy Validation Authority,
CN=http://www.valicert.com//emailaddress=i...@valicert.com
Validity
Not Before: Jun 26 00:19:54 1999 GMT
Not After : Jun 26 00:19:54 2019 GMT
Subject: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert
Class 2 Policy Validation Authority,
CN=http://www.valicert.com//emailaddress=i...@valicert.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ce:3a:71:ca:e5:ab:c8:59:92:55:d7:ab:d8:74:
0e:f9:ee:d9:f6:55:47:59:65:47:0e:05:55:dc:eb:
98:36:3c:5c:53:5d:d3:30:cf:38:ec:bd:41:89:ed:
25:42:09:24:6b:0a:5e:b3:7c:dd:52:2d:4c:e6:d4:
d6:7d:5a:59:a9:65:d4:49:13:2d:24:4d:1c:50:6f:
b5:c1:85:54:3b:fe:71:e4:d3:5c:42:f9:80:e0:91:
1a:0a:5b:39:36:67:f3:3f:55:7c:1b:3f:b4:5f:64:
73:34:e3:b4:12:bf:87:64:f8:da:12:ff:37:27:c1:
b3:43:bb:ef:7b:6e:2e:69:f7
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
3b:7f:50:6f:6f:50:94:99:49:62:38:38:1f:4b:f8:a5:c8:3e:
a7:82:81:f6:2b:c7:e8:c5:ce:e8:3a:10:82:cb:18:00:8e:4d:
bd:a8:58:7f:a1:79:00:b5:bb:e9:8d:af:41:d9:0f:34:ee:21:
81:19:a0:32:49:28:f4:c4:8e:56:d5:52:33:fd:50:d5:7e:99:
6c:03:e4:c9:4c:fc:cb:6c:ab:66:b3:4a:21:8c:e5:b5:0c:32:
3e:10:b2:cc:6c:a1:dc:9a:98:4c:02:5b:f3:ce:b9:9e:a5:72:
0e:4a:b7:3f:3c:e6:16:68:f8:be:ed:74:4c:bc:5b:d5:62:1f:
43:dd
It's not just a X.509v1 certificate. It's ten years old, it's just
1024 bits, and ValiCert does not exist anymore as an organization
(thus the DN is invalid).
So while I understand that there is a problem (and we knew that there
was a trade-off to be made when releasing the update), I think this
particular root certificate is a bad example if you want to make a
point.
Simon, could we make the harmless variant (X.509v1 certificate set as
trusted is accepted as a root CA, but intermediate X.509v1
certificates aren't accepted) the default in etch?
> Godaddy appears to have a newer v3 root but I don't know how widely
> deployed this is. It is not in the etch ca-certificates package for
> example.
Which root are you referring to?
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
