[arch-dev-public] [signoff] curl 7.22.0-2

Jan de Groot jan at jgc.homeip.net
Wed Sep 28 10:39:20 EDT 2011

On Wed, 2011-09-28 at 08:52 -0400, Dave Reisner wrote:
> So we're missing the VeriSign Class 3 cert which seems extremely odd.
> As per Verisign[1], all class 3 root certs are in valid and should
> remain in root certificate bundles.

We're not missing it in ca-certificates, we just have a different one.
Both ca-bundle.crt and ca-certificates.crt contain the same serial
number for this certificate, the only difference I can find is this:

Signature Algorithm: sha1WithRSAEncryption
Signature Algorithm: md2WithRSAEncryption

curl uses GNUTLS, which doesn't support MD2. OpenSSL should support it,
but it's deprecated. Our builds should still support md2, but I don't
know how far the application has to go to support it.

Our ca-certificates package contains these CAs that are not in mozilla
- brasil.gov.br
- cacert.org
- debconf.org
- gouv.fr
- signet.pl
- spi-inc.org

We patch cacert.org and spi-inc.org into NSS, so that narrows the list a
bit. IMHO we should just drop ca-certificates in its current shape and
replace it with a dump from our NSS package. We could even discuss about
the inclusion of spi-inc.org and cacert certificates.

More information about the arch-dev-public mailing list