On 07/04/10 05:11, Thijs Kinkhorst wrote:
On Tue, April 6, 2010 22:23, Dererk wrote:
Package: ca-certificates
Version: 20090814
Severity: critical
Tags: security
X-Debbugs-CC: [email protected]
Hello.
Please remove "RSA Security 1024 V3" root certificate ASAP from
ca-certificates package.
https://bugzilla.mozilla.org/show_bug.cgi?id=549701
In that bug log, Kathleen Wilson states in
https://bugzilla.mozilla.org/show_bug.cgi?id=549701#c8:
| RSA has confirmed that they are in possession of the private key for the
| "RSA Security 1024 V3" root certificate. RSA agrees that this root should
| be removed from NSS.
There doesn't seem to be a compromise situation that would warant critical
severity and the security tag. I'm downgrading this to a wish to remove an
obsolete certificate and leaving that to the ca-certificates maintainers
to follow up on.
Hi Thijs!
That information appears to came into scene later by the time I opened
this bug, thanks for addition it!
Even though I agree with the statement that it's now not currently a
security-affected issue, It's not really just a matter of obsolete
certificates, It's more relating to the fact that this Root Certificate
hasn't went through any kind of auditory and it's potentially a thing
you'll want to have in your system.
I wouldn't change severity, even though I consider is more than
important, and I'll let the package maintainer to decide.
Greetings!
Dererk
--
BOFH excuse #367:
Webmasters kidnapped by evil cult.
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
