On Mon, Sep 05, 2011 at 02:15:31PM -0500, Raphael Geissert wrote: > On Sunday 04 September 2011 05:55:27 Kurt Roeckx wrote: > > On Sun, Sep 04, 2011 at 12:02:48PM +0200, Kurt Roeckx wrote: > > > Their is also openssl-blacklist, but it doesn't seem to have > > > much users. > > However, opensl-blacklist only includes a program that checks wether a > certificate is weak, nothing in it AFAICS actually blocks them. It's > basically > useless for this case.
It could theoreticly also be used to block any certificate if we'd know the public key. But I agree it's useless for this case. > > After having read the bug report, I think we need to have a way > > to say that we don't trust a CA, or have a concept for which > > things we do trust a CA. I think NSS has this concept, but > > openssl or ca-certificates clearly can't express this currently. > > > > An other way of saying the same thing would be to be able to > > blacklist a CA. The openssl-blacklist only contains a list of > > blocked certificates, but nothing in it now checks the trust > > path to see if it's used anywhere in the chain. > > The only currently supported methods are OCSP and CRL, but none would do the > trick in this case. I guess OCSP/CRL is only called for the top most certificate, and all the CAs in the chain aren't checked in most applications. I thought I read Entrust revoked their signature, and in theory that should be enough. At least the openssl "verify" util has a "-crl_check", and "-crl_check_all", but it doesn't do OCSP. > I was thinking about hard-coding a check for CN=* DigiNotar * most likely in > libcrypto's X.509 support, but so far my lack of knowledge of OpenSSL's > internals has me a bit lost. > Hard-coding it is suboptimal, but I think it is the only reasonable solution > for the time being. We can't wait weeks or months for a better solution. > > What do you think about making such change? So you're basicly saying that X509_verify_cert() should give an error in case it finds DigiNotar somewhere in the chain? I'm not opposed to such a change, but would like to see a better option in the future. Kurt -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
