(CCing #619587) I committed an updated mozilla/blacklist.txt to explicitly blacklist the untrusted "Bogus *" and "Explicitly Distrust DigiNotar *" certificates, which will show up in the next upload [2].
On 10/28/2011 03:57 AM, Gijs Hillenius wrote: > A bit of Googling did not explain me why Debian's Mozilla package was > just updated with a bunch of 'Bogus $name' certificates. Could you maybe > post a little note somewhere why this was done? The name does not > inspire much confidence... but that might be the intention.. I added an entry to the changelog about these and bug report has some additional links to read [0] for more information. These "Bogus *" certificates were the ones that were created by an attacker using Comodo's CA roots, supposedly used for man in the middle (MITM) attacks. These bogus certificates were added by Mozilla with no trust bits set and they are ignored (you will not find them actually installed to /usr/share/ca-certificates/mozilla/). The notification is only clear when building the package [1], so I can see why this is not totally apparent. They are not installed as trusted root certificates by ca-certificates, but Mozilla included them in the bundle as non-trusted certificates. Perhaps I should not have listed them in the changelog as being added to the Mozilla bundle, since they are not trusted certificates actutally installed, but they are something of a different nature. Thoughts? These are interesting times for the CA infrastructure and one of the reasons I took over maintenance of ca-certificates - the package needs quite a bit more care, so keep a look out for more updates soon. I appreciate the note - feel free to mail anytime. [0] http://bugs.debian.org/619587 [1] http://www.pbandjelly.org/debian/ca-certificates_20111025_i386.build [2] http://anonscm.debian.org/gitweb/?p=collab-maint/ca-certificates.git;a=commit;h=a64eeee35dc8edf7f72e8e2ea7b3677b9bcdbe0e -- Kind regards, Michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org