On Wed, 2011-09-28 at 08:52 -0400, Dave Reisner wrote:
So we're missing the VeriSign Class 3 cert which seems extremely odd. As per Verisign[1], all class 3 root certs are in valid and should remain in root certificate bundles.
We're not missing it in ca-certificates, we just have a different one. Both ca-bundle.crt and ca-certificates.crt contain the same serial number for this certificate, the only difference I can find is this: Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: md2WithRSAEncryption curl uses GNUTLS, which doesn't support MD2. OpenSSL should support it, but it's deprecated. Our builds should still support md2, but I don't know how far the application has to go to support it. Our ca-certificates package contains these CAs that are not in mozilla NSS: - brasil.gov.br - cacert.org - debconf.org - gouv.fr - signet.pl - spi-inc.org We patch cacert.org and spi-inc.org into NSS, so that narrows the list a bit. IMHO we should just drop ca-certificates in its current shape and replace it with a dump from our NSS package. We could even discuss about the inclusion of spi-inc.org and cacert certificates.