ca-certificates 2014.2.1 will remove several still valid CA certificates with weak keys

Nikos Mavrogiannopoulos nmav at redhat.com
Fri Oct 31 15:30:56 UTC 2014


On Fri, 2014-10-31 at 16:11 +0100, Reindl Harald wrote:

> > Are you sure that this is the case with the current package? My F21 can
> > no longer connect to network to test, but gnutls in it should
> > reconstruct the chain similarly to what nss does (not very similarly to
> > be precise but the end result should be the same). If it is not the case
> > please report it as bug and I'll check it out.
> 
> the point is that if somebody buys a certificate for 6 years he may have 
> a checklist when to change them and if some 3rd party decides to remove 
> the CA certificate -> game over for users of that 3rd party
> 
> from where will you "reconstruct the chain"?
> * webserver a) has a certificate for 6 years
> * the issuer is CA b) which you remove

I'm also not particularly fond of this approach as it adds complexity to
an otherwise very complex protocol. However, in gnutls an alternative
certificate path is calculated if there is a trusted certificate which
has the same name as the issuer of a CA certificate in the path, and it
also has the same key.

This is the particular case that Kai refers to. For example in that
case, a verisign intermediate certificate was removed, and replaced with
a root CA certificate, that has the same DN, and the same key.

regards,
Nikos




More information about the devel mailing list