[arch-dev-public] [signoff] curl 7.22.0-2
Jan de Groot
jan at jgc.homeip.net
Wed Sep 28 10:39:20 EDT 2011
On Wed, 2011-09-28 at 08:52 -0400, Dave Reisner wrote:
> So we're missing the VeriSign Class 3 cert which seems extremely odd.
> As per Verisign, all class 3 root certs are in valid and should
> remain in root certificate bundles.
We're not missing it in ca-certificates, we just have a different one.
Both ca-bundle.crt and ca-certificates.crt contain the same serial
number for this certificate, the only difference I can find is this:
Signature Algorithm: sha1WithRSAEncryption
Signature Algorithm: md2WithRSAEncryption
curl uses GNUTLS, which doesn't support MD2. OpenSSL should support it,
but it's deprecated. Our builds should still support md2, but I don't
know how far the application has to go to support it.
Our ca-certificates package contains these CAs that are not in mozilla
We patch cacert.org and spi-inc.org into NSS, so that narrows the list a
bit. IMHO we should just drop ca-certificates in its current shape and
replace it with a dump from our NSS package. We could even discuss about
the inclusion of spi-inc.org and cacert certificates.
More information about the arch-dev-public