On Wed, Sep 28, 2011 at 04:39:20PM +0200, Jan de Groot wrote:
On Wed, 2011-09-28 at 08:52 -0400, Dave Reisner wrote:
So we're missing the VeriSign Class 3 cert which seems extremely odd. As per Verisign[1], all class 3 root certs are in valid and should remain in root certificate bundles.
We're not missing it in ca-certificates, we just have a different one. Both ca-bundle.crt and ca-certificates.crt contain the same serial number for this certificate, the only difference I can find is this:
Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: md2WithRSAEncryption
curl uses GNUTLS, which doesn't support MD2. OpenSSL should support it,
Our curl does not link against gnutls. Upstream doesn't recommend this, either, when openssl is available.
know how far the application has to go to support it.
Our ca-certificates package contains these CAs that are not in mozilla NSS: - brasil.gov.br wget can't verify this cert.
- debconf.org wget can't verify this cert.
- signet.pl wget can't verify this cert. The common name is www.bptp.lodz.telekomunikacja.pl, but wget won't verify that either.
We patch cacert.org and spi-inc.org into NSS, so that narrows the list a bit. IMHO we should just drop ca-certificates in its current shape and replace it with a dump from our NSS package. We could even discuss about the inclusion of spi-inc.org and cacert certificates.
Sure, I'm very interested in doing this. The current certs package is pretty ugly. Unfortunately, every distro seems to have their own method of managing this. d