On 11/05/2011 01:52 AM, Raphael Geissert wrote: > On Friday 28 October 2011 07:37:28 Michael Shuler wrote: >> I committed an updated mozilla/blacklist.txt to explicitly blacklist the >> untrusted "Bogus *" and "Explicitly Distrust DigiNotar *" certificates, >> which will show up in the next upload [2]. > > Is there any specific reason you did that? > The "Explicitly *" certs do add some more noise, but none of them are > installed. Even if they were, they are invalid and wouldn't be used. > The Bogus ones are not installed either, so that's okay.
Indeed, I added them to mozilla/blacklist.txt to cut down on noise, but you are correct, they are not installed either way. Looking at the current openssl-blacklist package, I agree; I don't see value in adding the untrusted certs there. I was considering a way to whitelist the explicitly untrusted certs in ca-certificates, so that we were installing them, but that seems a bit outside the scope of the package, the more I think about it - if the CA is not installed, the request fails. I'll back out that commit. -- Kind regards, Michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org