ca-certificates 2014.2.1 will remove several still valid CA certificates with weak keys

Michael Catanzaro mcatanzaro at
Tue Nov 18 15:12:07 UTC 2014

On Tue, 2014-11-18 at 12:11 +0100, Florian Weimer wrote:
> Firefox also builds a repository of intermediate certificates over
> time 
> and uses them automatically to fill gaps in certificate chains for 
> completely unrelated sites.  This leads to somewhat non-predictable 
> behavior regarding the set of sites to which Firefox can connect 
> reliably.  This is difficult to emulate in one-shot command line
> tools 
> such as wget which do not keep any local state by default.

And that's arguably the biggest problem of all. The goal is to reduce
certificate validation failures for users who have seen a particular
intermediate cert before, but the effect is that web developers get
false positives when testing whether their sites are set up properly or
not. This just makes things worse in the long run.

Chrome does this as well (when using NSS -- not sure if Chrome on Linux
uses NSS, but Chrome on Windows does).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the devel mailing list