Your message dated Wed, 14 Dec 2011 21:03:27 -0600
with message-id <[email protected]>
and subject line Re: new intermediate cert from Thawte
has caused the Debian Bug report #587751,
regarding new intermediate cert from Thawte
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
587751: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=587751
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ca-certificates
Version: 20080809
Severity: wishlist
Since a couple of days Thawte is signing 2048 bit web certs with the
intermediate cert
'Thawte SSL CA' which is signed in turn by the already known 'Thawte Primary
Root CA'.
So using a new server cert from Thawte with apache needs sending the complete
chain for
browsers not knowing the new CA cert.
It would be fine if this cert could be included into ca-certificates to enable
a
straightforward apache config with 'SSLCACertificatePath':
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=SO13881
(-> SSL Web Server and Wildcard SSL Intermediate CA)
Of course I know about #299017. But the url above didn't contain any copyright
AFAICS.
Thanks,
Christian Storch
--- End Message ---
--- Begin Message ---
tags 587751 wontfix
thanks
My reading leads me to understand the Thawte "Root Certificate License
Agreement" [0] covers intermediate certificates, although I am not a
lawyer. (as #299017 points out, as well, regardless if a particular
single page on a web site doesn't explicitly state copyright/licensing..)
In addition, every Thawte certificate installation document includes a
note similar to:
"Thawte uses Intermediate CAs to enhance the security of SSL and Code
Signing certificates. Installing the correct Intermediate CAs or CA
bundle for the certificate being used is absolutely essential to ensure
that users don't see certificate errors when visiting a website or
running software secured with a Thawte certificate."
or
"Please Note: On June 27th, 2010 Thawte upgraded its root hierachy to
2048bit RSA Keys to enhance the security of all SSL products. As a part
of this upgrade, all newly issued certificates now require the
installation of the new Primary and Secondary Intermediate CA's along
with your SSL certificate. These new Intermediate CA's MUST be installed
in order for your SSL certificate to be fully trusted in all browsers."
Bypassing this standard install/usage documentation for Debian users of
Thawte certificates seems incorrect to me. If Thawte wanted the
intermediate CAs added to browsers, for instance, I'm sure they would
make the effort to work with the browser vendors to include them, but
this appears to be a conscious decision not to do so.
Last note - per #647848, new CA policy should, IMO, require new CA
inclusion/update requests to come from a verifiable representative of
the CA organization. Random requests to include random CAs will be
closed wontfix.
--
Kind regards,
Michael
--- End Message ---
