On 08/01/2012 09:37 AM, Marc Deslauriers wrote: > OK, I am now convinced that we don't need the md2 certs, applications > should be able to validate using the sha1 certs. I believe a bug in > libsoup/glib-networking is causing the sha1 certs to not be used.
Thanks for the clarification. > We still should improve ca-certificates to make _sure_ that we're > shipping the sha1 certs instead of the md2 certs, as it currently ships > the sha1 certs by coincidence as they are listed later in Mozilla's > file. If they ever change the order of their file, we'll be shipping the > md2 ones by mistake. We strive to properly ship each trusted CA in the mozilla certdata.txt, so I agree and will work on correcting this. Thanks for the report :) -- Kind regards, Michael Shuler -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
